Pub. 9 2014-2015 Issue 6

March/April 2015 15 Extraordinary Service for Extraordinary Members. these will be considered outside any relevant liability cap; and • make clear that certain kinds of expected losses will be recoverable and not be excluded by a consequentials ex- clusion. 4 How Can the Bank Approach Limitation of Liability Negotiations to Improve Its Chances of Success? Limitation of liability provisions are usually the hardest fought provisions in vendor contracts and are typically the last issue to be resolved. Vendors will dig in their heels and make their customers work hard for modifications. Advance preparation and a devil’s-in-the-details approach can some- times succeed where a frontal assault will not: • Diligence the vendor carefully. Understand the specific risks the vendor’s technology might present to the bank. Vendor business teams are more likely to respond to real-world specific concerns than generalized lawyerly arguments. Has the vendor been affected by a security breach in the past? Is the vendor capitalized sufficiently to make good on its liability? 5 • The vendor will be trying hard to defend a standardized one-size-fits-all policy. Find a way to distinguish the bank from the customer base for which the vendor’s policy was designed. • Use the Request for Proposal (RFP) process to the bank’s advantage if possible. Establish the bank’s expectations upfront. • Use the sales cycle to express concerns about information security issues. The marketing team should want to address the bank’s concerns and may make commitments that the bank should not forget when it comes time to negotiate the contract. • Have an internal policy on what the bank wants in this area (even if it is nothing more than a reasonable wish list). Sometimes the bank’s own internal uncertainty on what it really wants can be as much of an impediment to a speedy resolution as vendor intransigence. Additions to the bank’s wish list at a late stage of negotiations are awkward at best. • Since the bank may not get what’s on its wish list, have a clear process for what types of provisions need high level approval and by whom. This will be helpful to the negotia- 4 Those the bank is worried about, such as forensics, costs of notification, credit monitoring; call center costs; card reissuance costs; fraud losses; fines; third party claims; and attorneys’ fees. Care should be exercised though, so no such list becomes an exclusive list of the only recoverable damages. 5 Cyber insurance is, of course, also an area that bankers should not overlook. Caution: Have a real coverage expert review the bank’s policies to make sure they cover what the bank thinks they do. Cyber insurance is complicated and evolving. For more information, contact Bryan Handlos at Kutak Rock LLP at (402) 346-6000 or bryan.handlos@kutakrock.com . Handlos is a member of Kutak Rock LLP’s banking practice group where he concentrates on bank regulatory matters. tion team in a variety of ways and may help speed a painful process along. • Do not simply leave these issues to the lawyers to resolve. The vendor may want to do business with the bank, but it probably does not like the bank’s lawyer very much. Rarely is the vendor’s lawyer going to be persuaded by the brilliance of the bank’s lawyer alone. The vendor very likely has its own strong internal policies and its legal team has one job—to protect the vendor from excessive liability. Resolution of hard issues requires the vendor to see that the bank’s busi- ness leaders (not just its lawyers) care about the issue. • The flip side of the preceding point is that the vendor’s mar- keting teamcan be the bank’s ally. Themarketing team’s job is (and its commission is riding on) getting to “yes.” Find ways to help the vendor’s marketing team see the bank’s perspective and encourage the team to help find creative solutions and navigate the barriers to resolution on their side. Some vendors’ sales teams actually do an outstanding job on this front. • Insist on reciprocity. This can help keep a vendor honest. If the vendor wants dollar caps and consequentials exclusions, the bank should have the same thing. This may or may not help if the bank is seeking uncapped vendor exposure for information security breaches (which may or may not be a reciprocal obligation). Additionally, the bank needs to consider its willingness to live with reciprocity if it gets it—is the bank willing to have uncapped exposure for things the vendor may care about? • Tailor limitations to specific risks if appropriate. For ex- ample, a vendor may insist that it cannot take uncapped liability for security breaches because no system can be guaranteed to keep all hackers out. If the bank is willing to entertain that line of compromise, have the limitation of liability address that, but press the vendor to accept full responsibility for other confidentiality breaches. • Be prepared to walk away. Nothing creates an incentive to find a creative solution more than a deal falling apart. Of course, for this to work, the bank must have a “Plan B.” Plan B should exist at the start of negotiations and the bank should know when it needs to pull the plug on negotiations with a recalcitrant vendor for Plan B to remain viable.   Counselor’s Corner — continued from page 13