Cybersecurity and Liability: Prevent Your Company from Bearing All the Damage

Cyberattacks have become an everyday reality for IT companies. Whether you provide hosting services, IT management, or managed services, the likelihood that your operations will be affected by a cyber incident is significant.

The resulting damage can be substantial — not only for your clients but also for your own business.

As an industry association, ICTWaarborg observes that many entrepreneurs overestimate their legal position when it comes to cyber incidents.

In this blog, we explain why insurance alone isn’t enough, how to contractually limit your liability, and how ICTWaarborg’s standard terms and conditions help you do so.

Cyberattacks and Their Impact on Your Business

Cyberattacks can take many forms, such as:

• Ransomware, where client files are encrypted and only released upon payment;

• DDoS attacks, making your platform or server unreachable;

• Phishing, where misleading emails are sent through your service;

• System breaches, where attackers gain access to sensitive client data.

The damage to your client may include data leaks, loss of revenue, reputational damage, and even claims from their own customers. In many cases, the client will turn to you as the supplier, resulting in potential liability disputes.

Is Liability Insurance Enough?

Many companies rely on their general liability (AVB) or professional indemnity (BAV) insurance. However, these policies often don’t cover all the risks related to cyber incidents:

• A general liability policy covers only material damage and bodily injury — not digital damage or data loss.

• A professional indemnity policy offers limited coverage for service errors, and only under strict conditions.

• Cyber insurance provides more specific coverage but often includes high thresholds, exclusions, and strict prevention requirements.

In practice, insurers frequently deny claims — for instance, if the damage results from user error or if your service functioned technically as intended. In short, insurance does not guarantee financial protection.

Contractual Limitation of Liability

If your insurance doesn’t pay out, your protection depends on what is stated in your contracts and general terms. That’s why it’s crucial to legally define your liability boundaries. ICTWaarborg advises to:

• Recognize liability only for direct damages, such as repair or replacement costs;

• Explicitly exclude liability for indirect damages, such as lost profits, reputational harm, data loss, or third-party claims;

• Include a clear and reasonable liability cap, for example, a maximum of 12 months’ fees, with an absolute limit.

Note: Liability for intent or gross negligence cannot be excluded under law.

Don’t Link Liability to Your Insurance

Many entrepreneurs include a clause stating that liability is limited to the amount paid out by their insurer. While this might seem practical, it’s both legally and commercially risky:

• The client doesn’t know whether or how you are insured;

• The insurer might refuse payment;

• The client could be left uncompensated but still hold you responsible.

It’s stronger — legally and commercially — to agree on a fixed liability cap that stands independently of your insurance, for example:

“Total liability is limited to €25,000 or 12 months of service fees.”

The Protection of ICTWaarborg

As a member of ICTWaarborg, you benefit from standard terms that already address these risks properly. These conditions include:

• A clear distinction between direct and indirect damages;

• A realistic liability limit;

• Legally sound and commercially justifiable exclusions;

• Alignment with current digitalization and cyber risk trends.

By using these terms, you strengthen your legal position and prevent unpleasant disputes with clients if an incident occurs.

Conclusion

Cyberattacks may be unavoidable, but legal damage isn’t. Don’t rely blindly on insurance — ensure you have clear contractual agreements on liability.