Introduction

Your firm is still liable to clients for outsourced work whether it is outsourced domestically or overseas, so insurers expect disclosure and proper oversight. 

Failure to disclose could result in a claim being disputed. Some PII policies specifically exclude claims arising from outsourced work unless certain conditions have been met such as due diligence and supervision so check the fine print of your policy.

Outsourcing domestically

Outsourcing domestically is usually acceptable to insurers if it is disclosed and supervised. The risk to insurers is generally lower as it is easier to verify qualifications, regulation and compliance with UK standards, and disputes can be pursued more easily in UK courts. Insurers don't normally load premiums heavily if outsourcing is domestic and transparent. Ensure your client engagement letters make clear that your firm remains responsible and ideally the outsourcing provider will have its own PII cover.

Outsourcing overseas

Insurers will scrutinise offshore outsourcing more heavily and may impose conditions, exclusions, or higher premiums. The risk is considered higher because different legal systems are involved and there can be difficulties enforcing contracts. Data protection and GDPR compliance will be a concern, as will quality control risks where work is not directly supervised.

Be clear with your insurer as to how you are structuring the outsourced work. Let your insurer know of any changes in this area during the year and also remind them whenever renewal comes around to ensure you are covered. Bear this in mind if you should change to a different insurer.

Risks of outsourcing

Outsourcing brings risks so before taking the decision to outsource, firms should ensure they have a clear strategy to mitigate these risks and be prepared to demonstrate this to insurers. Some of the greatest risks:

  • Lack of oversight – outsourcing work inevitably results in a loss of control, compared to work carried out in-house. Without appropriate sign-off and quality controls in place, this could lead to systemic errors, causing mistakes.
  • Communication difficulties – outsourced workers overseas will be based in a different country, and potentially different time zones. Communication will likely have to take place virtually, complicating efforts to provide training, assign work, and ensure errors are identified. This has this the potential to lead to errors or delays in meeting critical deadlines.
  • Security concerns – third parties may have different or outdated security protocols, leaving them vulnerable to cyber-attacks. If an outsourced firm has its systems compromised, this could expose sensitive client data, leading to a regulatory fine or investigation. Alternatively, hackers may be able to penetrate the systems of the outsourcing firm, leading to further disruption. In the case of a significant breach, a firm may also suffer reputational damage and loss of client trust.
  • Data protection protocols – while the UK has high standards of data protection legislation, this is not the case for other parts of the world. Outsourcing work overseas could result in firms breaching rules regarding the transfer of data outside the UK (please see the data protection section).
  • Sanctions – overseas outsourcing firms may be subject to sanctions, such that outsourcing work results in a violation. Even where sanctions are not currently in force, firms located in volatile jurisdictions could see their status change quickly, resulting in potential disruption to business activities.

Risk mitigation and insurance guidance

Financial Conduct Authority (FCA) guidance is instructive for any firm considering outsourcing work, either domestically or abroad. As explained within, firms must be 'operationally resilient', with complete knowledge and understanding of the people, technology, processes, information and facilities involved in the delivery of any services. These factors are expected to be continually assessed, with special attention paid to the risks and controls in place.

Other measures to mitigate the risks of outsourcing include:

  • Carry out initial due diligence to confirm third parties have the skills and capabilities required to execute work to the required standard, as well as the necessary data protection and cyber security measures in place.
  • Implement monitoring procedures to check the quality of outsourced work and ensure all work is approved prior to signing off.
  • Ensure expectations for the delivery of work are made clear to third parties, prioritising work as needed to ensure critical deadlines are met.
  • Continually manage the relationship with third parties to avoid organisational leaks, including establishing communication lines for issues to be raised, and training to be provided on in-house processes.

Insurance implications for outsourcing

Outsourcing work whether domestically or abroad could have implications for firms' insurance coverage. Here are some of the implications by type of insurance:

  • Professional indemnity insurance – does the policy contain territorial limits that will extend to the locations your outsourced workers are based in? 
  • Management liability insurance – eg. could potential data breaches or lack of adequate planning lead to allegations from stakeholders? Are directors of the firm protected for the decision to outsource work?
  • Employers' liability and public liability insurance – depending on the contractual requirements in place with overseas outsourced workers, firms may be required legally to have these in place with local insurance markets.
  • Cyber insurance – eg. do outsourced firms have sufficient security protocols in place to prevent a data breach? If a third party suffers a breach, are there protocols to limit the extent of the damage to the outsourcing firm?

Insurance implications for offshoring

Offshoring can look like outsourcing where a third-party provider is used to move work overseas, but where a UK practice builds its own offshore office, the UK practice will still need to let insurers know how they are structuring the offshored work and will face - and have to mitigate - some of the same risks that firms outsourcing face. 

Conclusion

Firms have a duty to disclose changes to their business with insurers. Although a given policy may appear to provide appropriate cover, if the details are not declared to and accepted by underwriters, this could result in serious issues in the event of a claim. Talk to your insurer from the outset if considering outsourcing or offshoring.