As data breaches become more common and potentially involve higher volumes of more sensitive information, government technology providers are increasingly being asked to assume higher levels of liability under IT services contracts.
In addition to technical expertise, success as an IT provider serving federal and state government agencies requires an ability to manage and mitigate a wider range of responsibilities and risks for failure to protect data or to meet other contractual requirements.
For these exposures, the first line of defense for IT government contractors is a strong contract. It is vital to avoid signing an agreement that forces a company to assume liability that belongs to other parties.
It is also critical to follow any applicable operational controls and standards. Common standards used in the federal IT contracting sector include the FedRAMP Security Assessment Framework, National Institute of Standards and Technology (NIST) standards and protocols, the ISO/IEC 27001 standards on information security management, and other relevant guidelines.
Beyond operational controls, it is also important to consider the financial aspects of risk management and loss control. Contractors should collaborate with their insurance agents or brokers to arrange a financial risk transfer program that is aligned with their service offerings and the resulting exposures.
Trey Warman is a technology underwriting specialist, CPCU, CIC, for Chubb.