In this blog post we explore the concept of liability in cyber-attacks, highlighting the significance of robust protective measures in safeguarding IT infrastructures from malware and other online threats. This piece is an essential read for anyone looking to enhance their knowledge of cybersecurity practices and understand the responsibilities associated with cyber threats.
Millions of businesses worldwide depend on IT professionals such as Managed IT service providers, IT consultants, software developers, mobile app developers, cyber security professionals and many more to keep their businesses running. Unfortunately things don't always go right, and this is getting worse with the growing cases of cyber attacks. From email attacks to dark web attacks and more, the cyber criminals are not relenting. You might do your best as a professional but when disaster strikes, clients may demand that you take liability for losses. Should you?
Let’s say you are a Managed IT service professional, what happens when the network you manage for a client is taken down by a network cyber attack? Should you take liability when the system you installed for one of your clients is attacked? What if the attack is as a result of negligence by the client’s employees? These are some of the questions that are coming up, and they are all sensible.
Be it as it may, there is a need for IT professionals to comprehend the liability issue and avoid costly surprises.
Why should IT professionals be concerned about liability
Ever wondered why many IT professionals act surprised and switch denial mode when clients slap them with claims. It all comes down to assumptions. Most IT professionals rarely take time to think about what could happen if their service or product is found to have caused damages. This was a quiet area for some time, until more and more businesses started suing their IT providers for costly negligence. This trend is now widespread and IT professionals must act because the frequency and sophistication of cyber attacks is not coming down. In fact the potential for damage from a successful attack is greater than ever before. It’s now common to see clients demanding that their IT providers be held liable for any losses incurred as a result of a cyber attack on systems that a professional provides, manages or advises. However, this is not necessarily a fair demand in the eyes of the professional. The professionals’ argument is that they are already working hard to stay ahead of emerging threats, and they cannot be held responsible for every attack that occurs.
The clients also have a valid point though. When they entrust you to manage their systems, recommend systems, or design their long term strategies, their expectation is that you know what you are doing. Additionally, some clients are ordinarily not that enthusiastic about IT. All they ask for is that you do your job and facilitate them to run their business in peace. They may understand very little about technology, not because they lack the ability to understand but because their interests and commitments are channeled elsewhere — their business. Such clients are genuinely helpless when cyber attacks strike their systems. And just as they look up to you to guide them when things are good, they'll also look up to you to save them when things go down — including paying for losses. Yet the cause of some attacks could have nothing to do with you. The way you approach this risk will have a huge bearing on your business and now more than ever, there is every reason to be concerned — and be prepared.
How can IT professionals stay safe from unfair liabilities?
Let’s start by giving a proper answer to the main question of this discussion: Should IT professionals be liable for cyber attacks? Well the quick answer is: YES for some attacks, and NO for some attacks. You’ll most definitely be liable for attacks that are as a result of your negligence. But you should not be liable for attacks that have nothing to do with your role. Unfortunately this statement alone will not get you out of trouble. We need to secure it, and there are two ways to go about this:
- Strong agreements
- Professional liability insurance.
1. Strong agreements
The contracts you execute for service provision will one day play a critical role when your client is attacked and the issue of liability comes up. You’ll engage in a «tug of war» with the client if you don't include specific terms that address cyber attack liabilities. Your contracts should be elaborate, simple and clear. We know that most IT professionals have not been capturing cyber liabilities in their contracts, and this is understandable because cyber liability is a new problem. But now you must adjust quickly and start including cyber liability clauses for every new client you are going to onboard. It might not be possible to revise past contracts unless the clients agree, but focus on the future and don't make the mistake of leaving out the cyber liability responsibilities.
Here are some of the most pressing items that you ought to start including in those contracts:
IT professionals should not be responsible for the failures of third-party products. This means that you should not accept liability for any hardware or software failures of third party technologies that you handle. A good example is servers and cyber security software. If you are contracted to manage the servers of an organization, and a server malfunctions one day, you should not take liability for this failure. If you are contracted to offer cyber security services but the client decides to use some security software which you have not advised, you need not take liability in case of failure. How do you capture this in the contract? Include a disclaimer that will protect you in cases where customers demand that you take liability for failures originating from third party technologies. The reasoning here is that some third party technology failures can, and often will, also affect the systems that fall under your docket and the client will not hesitate to come for you.
Failures related to backups
Backup is mostly the responsibility of the client, unless your agreement specifies otherwise. Of course some IT professionals are often contracted to manage backups, so this is fine. But if your work does not involve managing backups, the business or client is naturally responsible for restoring their backups and getting operations back to running mode. This responsibility should not be transferred to IT professionals. Make it clear in the contract that the client will be responsible for maintaining current backups in a safe place that is easily and quickly accessible in the event of an attack. Go further and state that should this backup fail to work and delay the resumption of systems that you handle, the resulting financial losses or otherwise should be the responsibility of the client.
Cyber liability insurance
Cyber liability insurance will protect your client's data in the event of a cyber attack. It'll take care of losses arising from compromised data, especially where the cause is not as a result of an error or omission by the IT professional. Advise clients to check with their current insurance provider and ask if they offer cyber liability insurance. This way they'll just add the appropriate cover (s) to their existing policies instead of having to contract another insurance provider altogether. The point here is that you must make it clear in the contract that the client should take up this policy and that they ought not hold you liable should they fail to buy appropriate cyber liability insurance.
Don't get this wrong. We are in no way suggesting that you should be encouraging your clients to go paying ransom to every criminal that shows up. But let's face it: some ransomware attacks can be so serious that clients have no recourse other than to negotiate and pay the ransom. This is normally advisable when the attack spreads to the backup, meaning the client will not be able to recover at all. If you don't get this right in the contract, clients are going to send ransom demands your way. Your responsibility should only go as far as helping with remediation but even this should be clear. Spell out guidelines and fees for remediation tasks that do not fall within your regular services under contract. Check out this article on how to remedy ransomware attacks.
2. Professional liability insurance
In addition to a strong contract, please consider buying professional liability insurance if you don't have one already. As the name suggests, this insurance protects professionals against claims brought up by their customers. In the case of IT professionals, it'll cover claims that concern the alleged fault in executing your duties as expressed in the agreement. If a client suffers losses as a result of a malfunction in a system you recommended or implemented, your professional liability insurance will take care of the losses.
Professional liability insurance will also do one more important thing, which is to cater for the services of attorneys and forensic experts. The forensic experts will narrow down to the causes, separate and apportion them accordingly between the client and the provider. The legal experts will then take over and compare these causes against the provisions of the contract. They will advise the incidents you should be liable for and those you should not. Some professional liability insurance policies can also cover the costs of crisis management in cases where your failures put the customer's reputation at stake.
The cost of professional liability insurance for IT practitioners starts at around $60 per month. This is not bad, but can vary based on the kind of services you offer as well as the organizational size of your clients.
Here are some of the leading professional liability insurance covers that focus on IT professionals:
- Technology professional liability insurance by Brunswick Companies: Covers legal defense costs including court fees and judgements. The total amount is determined by the limits specified in the coverage terms.
- Technology professional liability insurance by Hartford: Covers lawsuits, legal fees, court charges, lawyers' fees, applicable administrative costs, settlements and judgements.
- Tech Insure by Liberty Mutual: Covers claims of errors and omissions brought against IT professionals. You have a wide range of covers to choose from, such as Ransomware and network extortion threat, business interruption, and network asset losses, among others.
The difference between professional liability insurance and cyber liability insurance is that professional liability insurance is designed specifically for technology professionals and businesses. Cybersecurity insurance on the other hand is generally aimed at customers of IT services. But often, cyber security insurance is also used as the umbrella term to refer to any type of insurance that relates to cybersecurity. This means that IT professional liability insurance can as well be treated as a type of cyber liability insurance.
Depending on the root cause, some cyber attacks are definitely not and should never be the responsibility of the IT professional. Let’s relate professional IT services to a home. Would the architect, designer or landscaper, be held liable for household items stolen by thieves who gained entry into the home by breaking the wall? Of course not. So it's not fair for IT professionals to be liable for all cyber attacks. Obviously there are those you’ll have to take liability. If you deploy software with a vulnerability that hackers can exploit to attack the client, you’ll be liable. If you advise a client to migrate to a new cloud service that is not secure and exposes them to attacks, you’ll be liable.
The bigger task lies in isolation and being able to define the boundaries. You have the best opportunity to do this at the contractual level, because this is what will be used when you are called upon to take liability. Else, most customers will be more than happy to come claiming compensation for each and every loss.
But even as you do all that you can to protect yourself, make it a professional engagement with the clients. Let it not degenerate into a fierce tussle that will produce a winner and a loser. An unnecessarily aggressive approach can cost you opportunities. So, make it friendly but firm and professional. Take care.