(270) 506-5140 CONTACT US
Login
Financials

What Insurance Should Your Vendors Have?

Apr 24, 2019 by Gordon Rudd, CISSP

For all practical purposes, it’s impossible to discuss the insurance requirements for your third party vendors without discussing the overall risk posture and insurance protection your organization has in place. This post is intended as a look specifically at mitigating the inherent risk of certain business activities that are performed by your vendors; therefore, let’s look at the insurance requirements your vendors should be meeting. 

We’ll discuss basic coverages any organization should have in place, give you some insight into the management of your third party insurance coverage and help you evaluate your needs. We’ll also cover insurance monitoring, reviewing relevant insurance coverage, coordinating and managing annual insurance application renewals and their timely submission as well as tracking and reporting claims.

Understanding Third Party Risk Vendor Insurance

Risk mitigation is defined as taking steps to reduce the adverse effects of any identified risk. There are four types of risk mitigation strategies:

  1. Risk Acceptance: It doesn’t reduce the effects of the negative when it happens; it’s a strategy. This is a common strategy when the cost of the risk mitigation, like avoidance or limitation, is greater than the cost of the risk itself. You don’t want to spend money avoiding risks that don’t have a high possibility of occurring.

  1. Risk Avoidance: It’s the opposite of risk acceptance. It’s an action that avoids exposure to the risk.

  1. Risk Limitation: The most common risk management strategy in use today. This strategy limits your company’s exposure by taking some action(s). It uses a little risk acceptance and a little risk avoidance to limit your overall exposure to the risk.

  1. Risk Transference: This is literally handing risk off to a third party, like an insurance company. If you identify a risk that isn’t a core competency of your company, transfer it to a willing third party.

So basically, by investing in insurance you’re transferring some of your risk to the insurance company.  Remember, however, always be sure to keep your senior management team informed when it comes to insurance and using insurance to mitigate various risks for your organization.

The adage, “Your mileage may vary”, made famous by the automobile industry, is very apropos here. There’s no one answer for every company everywhere. Coverage requirements vary from state-to-state.

All the vendors you do business with must have two standard insurance coverages in the U.S. The two standard insurance forms that are always required and should be in your initial due diligence checklist include:

  1. Worker’s Compensation: Provides wages and medical benefits to employees who are injured in the course of employment. The employee gives up the right to sue their employer for negligence. Every state has a minimum coverage limit, and the vendor will be required to meet the specific coverage for the state in which they have employees conducting business.

  1. Liability Insurance: Also called third party insurance, it’s a fundamental part of your risk management system. It protects your organization from the risks of liabilities from lawsuits and protects the insured in the event they’re sued for claims that fall within the coverage parameters of the insurance policy. Damage caused intentionally and contractual liability aren’t covered under liability insurance policies as it provides coverage for legal fees, which can be quite expensive. This is particularly useful in “nuisance” lawsuits.

Beyond those two forms of insurance coverage, it depends on your industry, your organization and on the specific function or activity the vendor will be performing for your organization. So, your requirements for insurance coverage “may vary”.

Summary of Insurance Requirements for Third Party Vendors

I’ve decided to cover insurance requirements based on a few different scenarios. Here you’ll find different coverage requirements specific to vendor types in the finance industry, subcontractor coverage and processing vendors/services insurance requirements.

  1. If you’re in the finance industry today, you have vendors performing a myriad of services and providing a plethora of products. How do you know what coverage is right for any one vendor?

The following will give you an idea of what to cover. Shopping for coverage with your insurance broker will help you find the right price for the coverage you need.

Coverage Type of Vendors Who Should Have This Coverage
Directors & Officers Liability (D&O Side A-Insured Persons Liability and D&O Side B Company Indemnification Coverage)
  • Software core systems vendors
  • Any publicly traded company
  • Armored car services
  • Banker’s Banks
  • Lockbox providers
Employment Practices Liability
  • Software core vendors
  • Any publicly traded company
Financial Institution Bond
  • Any mortgage service provider
  • All large software development company
  • Banker’s Banks
  • Correspondent banks
  • Hosting companies
Fiduciary Liability
  • Software core systems vendors
  • Any publicly traded company
  • Armored car services
  • Banker’s Banks
  • Lockbox providers
  • BSA/AML software providers
Cyber Liability
  • Software core vendors
  • Any company that access your network
  • Any company that touches your company or customer data
  • Banker’s Banks
  • Usually a rider to a general liability policy
Commercial Property
  • Companies you lease commercial space from
General Liability
  • Every company you do business with
  • All companies who have workers on your property
Worker’s Compensation
  • Any company that has workers on your property
  • Any company you do business with

Umbrella

  • Any company that poses a material risk to your organization’s safety and soundness
  • Any company whose failure might cause your organization to fail

Fidelity Bond

  • Large software developers

 

  1. Every contract should include the insurance requirements for that vendor for the work the vendor is undertaking on your organization’s behalf, also known as your subcontractor. You’ll want a hold harmless clause which includes requirements that any subcontractor must defend, indemnify and provide additional insured coverage under a general liability policy for all work performed by or on behalf your organization.

    In addition, every third and fourth party must provide a Certificate of Insurance providing evidence of following:

  • General Liability: Occurrence Form with limits for each occurrence, damages to rented premises, medical expense, personal and advertising Injury, general aggregate and products/completed operations        
  • Automobile Liability: Includes combined single limit
  • Umbrella Liability: Includes each occurrence and aggregate        
  • Worker’s Compensation: Includes statutory limits
  • Other Requirements: Your organization must be named as “Additionally Insured”

  1. If the vendor is providing Processing Services to your organization, at a minimum, you should ensure the appropriate levels of insurance, for the type of work being performed, is in the contract with the vendor. Also, make sure they have a Certificate of Insurance, naming the vendor as “Certificate Holder”, from a licensed carrier, with minimum AM Best Carrier rating of A-XV (i.e., a strong financial strength rating) and provide evidence of following:

  • General Liability: With appropriate limits for each occurrence/personal and advertising injury
  • General Aggregate: Products and services completed operations aggregate coverage
  • Automobile: Applicable if providing transportation services
  • Trucking: Mandatory coverage that varies from state-to-state
  • Workers Compensation: Statutory, except for the state of New York as it is unlimited
  • Umbrella Policy covering management:
    • Professional Errors and Omissions
    • Crime/Employee Fidelity including third party or client coverage
    • Cybersecurity/Cyber Liability

Understand the Riders

A rider adds to or amends the insurance terms. Cyber insurance is a good example to discuss here. Most of the cyber insurance policies I’ve seen are a rider on a general liability policy as almost every insurance agency will have a general liability coverage policy that you can add riders to for cyber insurance. A cyber insurance rider will provide additional coverage for cyber losses.

Be sure to read the rider very carefully to make sure you understand the terms and conditions surrounding the coverage for a cyber incident, or for any insurance coverage the rider is pertaining to.

Insurance Monitoring

Here are 3 tips to assist with insurance monitoring:

  1. Proof of insurance coverage should always come directly to you from the insurer, never from the vendor. Every insurance company has process and procedures in place to send you the documentation you’ll need.
  2. Insurance policies should be reviewed annually and renewed at term with the assistance of your insurance brokers, and their coverage limits adjusted accordingly, with approval of your senior management team.
  3. If you’re in the finance industry, you’ll need to establish an insurance program and appoint someone to manage your company’s insurance program, such as a risk management officer. This person should also be heavily involved in analyzing the coverage your vendors have in place.

Insurance Can’t Be Forgotten

Insurance is a detail you can’t afford to overlook. At the same time, insurance is an extremely complex business area. Make sure you take the time to understand your organization’s insurance coverage needs before you start shopping for an insurance provider.

Consider your vendor's insurance prior to signing the contract. Download the eBook to learn more.

how to master vendor contract management

Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP
Subscribe--Bg.jpg

Subscribe to the Venminder Blog