IT Contracts and Cyber Risks: Negotiating the liability cap is good, but verifying the provider’s insurance is even better.
The recent massive data breaches at major French online retailers highlight the importance of thoroughly negotiating cyber risk provisions in IT contracts.
In these contracts, the liability cap clause designed to cover such serious risks is often a key point of negotiation. The client aims to cover potential risks as thoroughly as possible, which can be significant. For example, if the payment system of a retail chain is down for several days, the company’s very survival could be at stake. And if the data has been hacked, CNIL sanctions could be severe, with an even greater potential reputational damage.
The provider, on the other hand, seeks to limit their liability to the cost of the services charged. This is where cyber insurance comes into play, theoretically covering the risk in the event of an incident. However, over the past two years, the increase in incidents, particularly ransomware attacks, has led insurers to significantly raise premiums and lower coverage limits. Providers are therefore caught between two pressures: clients negotiating higher liability caps and insurers lowering insured limits.
As a result, a provider may end up agreeing to a liability cap that is not fully covered by their insurance. For the client, this cap becomes somewhat theoretical if it is not backed by insurance or the provider’s own financial capacity.
Our advice: When negotiating your IT contract, it is crucial to ensure there is consistency between the liability cap, the insured amount, and the overall financial capacity of your provider.
We can assist you in this process.
