August’s Compliance Coffee Talk: What do I need to know about Cyber Liability?

Compliance Coffee Talk covers a new topic each month – RSVP for the series.

August:  “What do I need to know about Cyber Liability, and how’s the different than Tech Errors & Omissions?” 

We’ve had a lot of questions about this in the past few months, especially as AI-related risks are rising, so we got together a risk manager and a lawyer, both with deep cyber experience to guide us through the most common questions and and how to identify where you should focus.

Watch the full replay, or keep scrolling for a summary of some of the key insights and practical from the session.

Meet the Experts

• Tamika Puckett, EVP & Public Sector Practice Leader @ Protecdiv.  Former Risk Leader at Zoom, City of Chicago, City of Atlanta, Durham Public Schools.
• Andrew Clearwater, Partner @ Dentons. Former Chief Privacy Offer at OneTrust, Fellow at University of Maine School of Law.

You’ll learn:

• Which cyber and tech risks are most relevant today
• Cyber Insurance vs Tech E&O, where they’re unique and where they overlap
• Factors for assessing your cyber / tech compliance requirements
• Handling pushback from vendors wrt new compliance requirements
• Understanding the alphabet soup of ISO, SOC2, NIST…
• Managing cyber risks, even if you’re not deeply technical
• Handling regulatory unknowns, where to be proactive
• Holistic strategies for mitigating risks beyond cyber and tech

---

Key Takeaways

1. Understand that there are many different, unique types of risks under the heading of cyber and tech:

It’s easier to assess and navigate risks when you can separate and identify the unique types of risks.

Andrew and Tamika gave us the list of what’s worth keeping an eye out for:

• AI-driven cyber attacks: Increased scale and sophistication of phishing, malware, and social engineering.

• Ransomware evolution: Now includes public shaming, data theft, and third-party exploitation.

• Supply chain vulnerabilities: Need better visibility and alerting mechanisms for third-party and vendor risks.

• Cloud misconfiguration: Improper access controls and API vulnerabilities are a persistent issue.

• Insider threats: Disgruntled employees or compromised accounts are an ongoing concern.

• Regulatory complexity: Rapid evolution of global privacy, AI, and cybersecurity laws makes compliance a moving target.

• Aging infrastructure, especially in the Public Sector: Underfunded, outdated systems increase vulnerabilities.  When it’s potholes vs computers, potholes often win.

2. Cyber Liability and Tech Errors & Omissions address different things – they aren’t interchangeable.

• Cyber Liability:
  • Protects against financial losses from incidents (eg, ransomware, data theft, etc).
  • The exposure here is around data: sensitive, regulated, or protected information.
  • Cyber is relevant at an organization collecting, storing, transmitting sensitive data.  If third-party vendors are processing your sensitive data, requiring cyber liability is recommended.
• Tech E&O:
  • Is a form of professional liability coverage.  It protects vendors and services providers against claims that they failed to properly deliver a technology product or service, made errors, or caused financial harm to their client.
  • Organizations providing a tech product or implementation service would use Tech E&O to protect the business from disputes or performance-related claims.
• ⭐️ And AI is starting to appear in some cyber and E&O policies, via endorsements or add-ons, but in most cases it wouldn’t give comprehensive AI coverage unless you obtained a specifically tailored policy.  It’s a matter of your AI-related risk exposure – limited add-on language might be sufficient in some cases, but if you have high exposure from deploying autonomous AI systems, that likely requires separate or bespoke coverage.

3.  Especially with Cyber and Tech, don’t assume contract value = risk level.

“For some policies (like general liability), coverage limits are tied to the contract value. That doesn’t work for cyber. You can have a $10,000 software contract where the vendor is accessing highly sensitive data — and the financial exposure if that data is breached could be millions. So you have to tie coverage to the amount and sensitivity of the data involved, not the cost of the contract. Look at how many records are at risk, and how sensitive the data is. Then set the coverage accordingly..”
— Tamika

4. With vendor requirements, prioritize protection, with a practical balance.

We all get questions about handling pushback from vendors anytime we introduce new requirements.  Andrew and Tamika gave us best practices that are relevant to any type of risk:

• Use real-world examples to explain the need for coverage.
• Your internal stakeholders (legal, procurement, finance, etc) need to be aligned. Engage them early, and escalate when necessary.
  • Equip them with the context they need to help set vendor expectations, and document recommendations clearly and widely.  It’s ok if different stakeholders disagree, but they should all be informed.

“Pushback is normal — not just from vendors, but also internally. The department that wants the vendor’s product will come to you saying “they can’t do this” or “they won’t sign that.” But as the risk manager, your job is to articulate the risk clearly.”
— Tamika

• Be protective, but practical:
  • Avoid broad, blanket requirements that won’t fit the majority of vendors.
  • Focus on categorizing and prioritizing risks.  It’s smart to treat high, medium, and low risks differently, and consider exceptions or evolving requirements in that context.

“Think strategically: where are you truly exposed, and what requirements meaningfully reduce that risk? Prioritize those.”
— Andrew

5. You can still proactively and strategically manage cyber risks, even if you’re not deeply technical.

“How can I be expected to lead on these deeply technical risks, when much of the tech goes over my head?”  We’ve heard a lot of people ask some form of this question, and we heard two good answers.

“Look at cyber risk like any other risk: What’s the exposure, what could happen, and how do we transfer, mitigate, or accept the risk? You don’t need to use technical jargon — you can talk about it in the same language you’d use for property or operational risk.”
— Tamika

“Most of what lawyers and IT teams need from you is clarity about the business risk. Ask simple questions: What systems are impacted? What type of damage could we see? You bring the context, they bring the technical or legal perspective.”
— Andrew

6. With AI evolving constantly, and regulations reacting slowly, figure out what has the most practical risk impact at your org.

Just because the space is changing every single day, that doesn’t mean you can afford to ignore any of it, or wait for things to settle.  Don’t wait for regulations to dictate all of your organization’s risk requirements.

From a practical risk standpoint, focus whatever AI or tools are performing the most sensitive and high-impact tasks, especially if they’re removing humans from decision loops.  If a tool is making autonomous decisions that directly impact customers, finances, or regulated data, that’s where your risk is the highest.

7. When an area of risk is rapidly evolving, that’s where you must keep learning.

Both Tamika and Andrew offered the same parting advice:  Stay diligent and keep learning.  Cyber risks are constantly evolving, so must we.  Flexibility and curiosity are your best assets in any changing space.