Skip to main content
Blog Post

Digital contractors may create more risk than you think

Future of Work

By Frederic Lucas | August 18, 2020

As risks associated with the digital economy evolve, efforts to identify, measure and finance them often fall short.

Use of third-party vendors and contractors is a common practice for many companies in the technology, media and telecom (TMT) industries. While this form of outsourcing is widely used to supplement in-house technology and expertise, it poses significant risk management issues that are often under insured if not overlooked.

A revealing 2019 Protiviti study found that nearly one-third of companies surveyed have inadequate or “ad hoc” processes in place for vendor risk management. Many respondents blamed the shortcomings on such factors as cost, lack of internal support, or technology that was not suited for assessing and de-risking vendor relationships.

Risks associated with contractors are expanding with the growth of the digital economy. Work that may have been done internally in the past is now handed to specialized contractors, including managed-service providers, cloud platforms or vendors involved in software as service (SaaS). The dynamic pace of digital-reliant companies often relies on start-up business partners or new technologies without the loss experiences that enable risk managers to identify, measure and hedge risks.

A cautionary tale

The changing regulatory environment, especially in Europe but also becoming more evident in North America and elsewhere, is putting new pressure on companies to address contractor risks. The EU’s General Data Protection Regulations (GDPR) around data management and security, for example, make it more important than ever for a company to keep tight rein on its contractor relationships to avoid expensive litigation and fines.

I’m familiar with a European consumer products company that turned to a contractor for help in defining the right population for a product launch. In gathering and analyzing data, the contractor violated the GDPR by using private data. When the product launch began, some prospective customers were able to identify the source of the data, forcing an abrupt termination of the campaign.

The company subsequently faced claims under the GDPR and was forced to cover the costs that exceeded contractor liability. There also was a hit to revenue expectations from the aborted campaign — not to mention damage to the company’s brand and reputation. Inadequate risk management procedures for the contractor proved to be an expensive oversight.

Start with airtight contracts

In dealing with contractor risk, an important step is an agreed contract and terms of service that require the contractor to accept the risk of its actions and to commit to business and risk management practices that reduce the possibility of losses, especially around security and data protection. Your due diligence process should include exposures that might surface in business partners that work with your contractor.

This is a prudent step, but one that may require a company to review details of a contractor’s risk management efforts or to accept on faith that the contractor has risk management plans in place. For smaller contractors, this may be a risky assumption. Some cyber contractors are small companies with big ideas. It is to their advantage to embed risk management into their business strategies, but this doesn’t always happen. After one big mistake, a small contractor may simply close up shop, leaving you with no way to get your money back.

We’ve found that two-thirds of cyber breaches can be traced to human error, so a contract needs to account for the quality, experience and expertise of contractor staffing. It’s also important to establish monitoring procedures to ensure that contract requirements are met at every stage.

If you depend on third-party arrangements, remember that it’s the first party who stands in front of the client or in the public spotlight, and it’s likely that the first party will have far more revenue at risk. So, the company is forced to take the lead (and assume the expense) of doing the research to determine the validity of the claim and then a post-mortem on the cause of the mistake.

A trend in this area is sometimes called “zero trust,” meaning that a company accepts no assurances that will not be tested. In this approach, the company would require a vendor, for example, to authenticate every time it tries to communicate with your network. While zero trust has its critics, the goal of routine authentication and evaluation and other rigorous security arrangements is a good one.

It also may be prudent to start a contractor relationship with a small, well-defined project that can be fully vetted. This not only identifies potential problems but also helps contractors understand the standards and rigor that you expect from every assignment.

Beware of the insurance ‘gray area’

The best of third-party contracts will not eliminate risk. Risk financing, including insurance, is needed to pay expenses that you could incur. In cyber, this is more easily said than done. Insurance solutions vary by region, and there is often a gray area between what might be covered by a conventional property and professional liability, errors and omissions (E&O) and cyber policies.

Coverage sometimes boils down to the fine details of policy terms and conditions. Cyber coverage can certainly fill a gap, but capacity is limited, and cyber policies require frequent fine-tuning to meet new and evolving cyber risks. One practical solution is to explicitly include cyber in a technical E&O policy. This approach is useful when it’s difficult to identify if the cyber claim came directly from the data or from the services provided by the contractor with the data. It may help to obtain coverages from a single insurer to further reduce the possibility of an insurance gray zone.

In terms of liability, conventional insurance policies may only apply to consequential damages when you really need to be covered for the broader impact of a cyber claim without damage to your product. The market is typically ready to pay to restart the business but not ready to take the loss of profit. Non-damage business interruption (BI) insurance is a promising option.

The real solution of risk transfer would be to cover non-damage business interruption losses, but insurers find it difficult to estimate the severity and probability of such claims to provide adequate coverage. This solution would be easier than trying to identify a third party liable of a loss in the cloud, with different regulations in the United States, Europe or Asia.

In my example of the interrupted product launch, the company suffered a serious loss of projected revenue traced to the contractor. Halting the campaign could qualify as business interruption due to actions by the contractor.

Risks associated with the digital economy are still evolving, and efforts to identify, measure and finance the risks struggle to keep pace. I sometimes think of how many factory fires were linked 50 years ago to workers who smoked cigarettes on the job. Nobody smokes in factories these days, so that particular fire risk has abated. We don’t have the same maturity for cyber risk, but we’re getting there.


Western Europe Industry leader, Technology, Media & Telecommunications at Willis Towers Watson

Related Capabilities

Contact Us