Executive and Professional Third-Party Risk Management: Crime, Cyber and Professional Liability Strategies

MARCH 5, 2024

Organizations often rely on outside vendors, also known as third-party providers (TPPs), to enhance and expand capabilities, improve efficiency, and drive innovation. However, the benefits of TPPs come with inherent risks.

Without defined and active third-party risk management (TPRM) — including a TPP risk review for crime, cyber and professional liability — an organization’s ROI, cash flow, reputation and viability may be negatively impacted by TPPs.

What Is TPRM for Executive and Professional Risks?

TPRM has traditionally focused on property and general liability (GL) coverage of TPPs. TRPM for executive and professional risks is a critical priority for 2024 and beyond. Simply put, it’s the ability for an organization to manage risk from crime, cyber, and errors and omissions (E&O) events caused by TPPs and even the contractors of TPPs (see below on “nth” contractor risk).

Impact on ROI and Cash Flow From Executive and Professional Risks

A single TPP failure may result in increased costs and strained liquidity for an organization of any size. In addition to “traditional” TPP risk (property and GL) crime, cyber and E&O TPRM failures may have a significant negative impact on organizations as illustrated by the following.

• Supply chain disruptions: A TPP may be caught in the sanction or cyber crossfire of an emergent war or conflict that disrupts an insured’s supply chain. Or a TPP may fail to comply with industry regulations or legal requirements, even after it promises to comply during negotiations. Read about this resulting in regulatory delays, fines and penalties for the TPP and potentially the insured that utilizes its services.
• Cyber events: A TPP with access to your protected health information (PHI) and personally identifiable information (PII) may experience a data breach, ransomware event or some other cyber event. If your customer or client data is impacted, this can result in significant financial losses due to the costs of investigating the event. For example, in February, a third-party provider of financial software suffered a data breach that released the PII of 57,028 deferred compensation customers serviced by a large bank. What are you requiring of TPPs for cyber limits and terms and conditions to address a cyber event?
• Contractual disputes: While disputes may arise over contractual obligations even in the clearest contracts, “nth party” liability consideration is critical when it comes to professional liability (E&O) claims. Nth party disputes are disagreements or conflicts that arise between multiple parties, such as when a direct TPP uses a subcontractor that was not involved in the original TPP contract. TPRM efforts (especially crime, cyber and E&O contract negotiations) should specifically detail indemnification, insurance evidencing and subcontractor usage by TPPs. A recent dispute involved a construction firm demanding $100 million from its engineering partner over a botched $2 billion-plus project.
• Financial instability of TPP: A critical third-party supplier or partner may experience financial instability or bankruptcy. For example, Walmart and other large retailers suffered a disruption when a major supplier filed Chapter 11 bankruptcy. This can disrupt the company's operations, lead to supply chain interruptions, and result in financial losses associated with finding alternative vendors or partners. Professional liability (E&O) evidencing is critical so insureds do not depend on a TPP balance sheet — or lack thereof.

Proactive TPRM is crucial for identifying, assessing and mitigating TPP risks to safeguard a company's financial stability and reputation. Specifically, complex and “claims made” TPP risks in the areas of executive and professional liability often require TRPM specialists working with insureds (or their counsel) to quantify potential TPP exposure and match insurance limits and terms evidencing to client TPRM strategy.

The Importance of Insurance Evidencing for Executive and Professional Risks

Insurance evidencing is a critical component of TPRM. It involves validating (“evidencing”) that a TPP carries certain minimum insurance policy coverages, language grants, and limits.

Insureds should seek crime (with client cover), cyber and professional liability on all TPP contracts and service level agreements (SLAs). While the exposure created by the contract should dictate insurance requirements, insureds should also seek to align insurance evidencing by TPP service, size and sophistication. This involves tailoring TPP insurance evidence requirements to address contractual obligations. For example, a small TPP not handling any PII or PHI and with no access to client monies may benefit from different (minimal) baseline insurance evidence requirements.

Tailored insurance evidencing requirements allow companies to optimize their TPRM strategies. This ensures insurance requirements reflect contractual obligations and are proportionate to the level of risk associated with each vendor. This has led to speedier contract finalization and enhanced protections for high-risk cyber and E&O TPP exposure.