In a survey of 321 senior professionals, ethics and compliance risk management firm NAVEX Global found that one in three companies doesn’t evaluate third-party vendors before hiring them, which opens the door to major errors and omissions risks.
Why is it so bad if you don’t evaluate a vendor? If a vendor you hired messes something up, an E&O lawsuit could fall on you. To protect your company, your third-party vendor risk management strategy needs to do three things…
- Avoid the mistake that one-third of companies make – evaluate your contractors, subcontractors, and vendors before you hire them.
- Check that vendors have Errors and Omissions Insurance and General Liability Insurance – and make sure you also have adequate small business insurance to cover your risk.
- Create a system for tracking vendor compliance.
Of course, it can be difficult for small businesses to establish a system for verifying information from third parties – and not only because smaller businesses tend to have fewer resources at their disposal.
Vice President, Advisory Services at
Navex Global and author of the report we cited earlier,
noted that small businesses may have “a lack of understanding of the risk [posed by third parties], the lack of a third-party program… and some companies may not have an understanding of who their third parties are.”
That may sound jarring at first, but keep in mind that if you’re a sole proprietor and you pay a guy to optimize your website for search engines, that SEO guy is a third party. Below, we’ll look at these in more detail and explain why you could be liable for mistakes made by third parties you work with.
What Is a Third-Party Vendor?
To understand third-party vendor liability, let’s define what we mean by “third-party vendor:”
- A third-party vendor is any non-employee who works for your or provides a service to your company.
- Third-party vendors include contractors and subcontractors as well as tech companies that provide services for your business (or for a specific project).
- It also includes non-tech companies that support your business, including your accounting firm or HR solution provider.
Why are these third parties such a big deal? From a risk management perspective, a vendor exposes your company to more risk. Think about it: the more moving parts a machine has, the more opportunities there are for one part to fail and prevent things from working properly.
A data breach could happen at your accountant’s network. A subcontractor could flake out the day before a major deadline. Your web host might shut down after a DDoS attack.
Errors & Omissions Risk Exposure for IT Companies that hire Vendors
Before we get to Errors and Omissions coverage, let’s talk a little bit more about why vendor risk is so big.
First of all, these risks are common. Our data shows that 24 percent of small tech companies hire contractors and subcontractors. Most of the time nothing goes wrong, but a vendor mistake could lead to legal costs for your business.
In “How to Verify that Third Parties Have Enough E&O Insurance to Prevent Your Financial Loss,” we discussed the recent data breach that happened at TaxSlayer.com (a tax-prep website). It’s a notable for a few reasons:
- Nearly 9,000 records were compromised.
- TaxSlayer could pay over $1 million in financial protection services to the users whose data was compromised.
- The breach was caused by a third party it was working with.
Yep, TaxSlayer may be on the hook for a seven-figure cyber liability bill, and it didn’t even cause the breach itself. The company told SCMagazine it believes nearly 9,000 accounts were compromised when login information and passwords were taken from a third-party vendor.
And that’s why you need to make sure your vendors have adequate risk protection. Here’s what to check.
Doing Your Homework on Third-Party Vendors and E&O Insurance Risks
To do your due diligence for your third-party vendors, Navex’s Stephens recommends the following: “First, develop a Third Party Due Diligence Policy. Next, use this Policy to create a risk-based system for third parties. Conduct a basic, automated search for low-risk third parties (see NAVEX’s Risk Rate product for tiered due diligence). Conduct more detailed due diligence on higher-risk third parties. Do something. Doing nothing is not defensible.”
"Do something. Doing nothing is not defensible." – Randy Stephens
He also recommends pp. 60 – 62 of the SEC/DOJ’s “A Resource Guide to the U.S. Foreign Corrupt Practice Act” [PDF].
Some companies outsource this due diligence or use software to track their vendor contracts, compliance, and risk management. Your company will have to find a risk management strategy that makes sense for your size and budget.
Technology Errors and Omissions Insurance and Third Party Risk
The upside to all this talk about risk and liability is that technology Errors and Omissions Insurance can cover third-party risk. If a vendor makes a mistake and a client sues you, your IT insurance may cover the lawsuit.
Here’s an example. You hire a web host. The web host has a 24-hour outage at a crucial time for your client. The outage causes your client to lose $50,000 in revenue. Your client sues you for these damages. Your Errors and Omissions Insurance can cover your legal bills, lawyers’ fees, and the financial damages a judge rules you owe the client.
As we said above, you’ll want to make sure your vendors have their own liability coverage, too. When they’re covered, you’re less likely to have to pay for a lawsuit.
The Takeaway: Third Party Vendors Bring Risk, but You Can Protect Your Company
Make sure your company is not one of the 32 percent of businesses that underestimate their vendor risk. Set up a vendor evaluation process and protect your company with IT Errors and Omissions Insurance.