25.8 VITA recommendations for a successful IT contract

25.8.1 IT special insurance coverages

In IT contracts Errors and Omissions Insurance should always be required for Suppliers, except for simple computer-off-the-shelf (COTS) software products. This insurance covers a Supplier's performance errors and intentional or accidental omissions in their performance obligated by the contract's technical/functional requirements. The coverage amount is based on the complexity of your procurement. For instance, if a Supplier is developing a custom solution for the agency, or if the procurement is providing a critical business continuity service to citizens, or if the Supplier is providing a cloud service (i.e., Software as a Service), then a higher amount of coverage should be required. Typical language to include in a contract is: "Supplier shall carry Errors and omissions insurance coverage in the amount of $2,000,000 per occurrence."

For cloud service procurements, it is recommended to require Supplier to also provide coverage for Cyber Security Liability Insurance to assist in data loss or security breach, which can result in losses valued in excess of millions of dollars. This is a relatively new type of insurance that some Suppliers will not have. Often they will say it is included in their Errors and Omissions insurance. If that is the case, you should require a higher coverage in the Errors and Omissions requirement and ask them to confirm how their insurance provider will cover incidents of data loss and security breach. Get the facts in writing and include applicable language in your contract. The typical language to include in your contract requirement for this is: Supplier shall carry Cyber Security Liability insurance coverage in the amount of $5,000,000 per occurrence. Once again, the coverage amount can be decreased or increased based on your risk factor and project complexity and data/security sensitivity.