Auditors, lawyers, tax consultants and management consultants: Four perspectives. One solution. Worldwide. Find out …
Our clients entrust us with their most important legal matters. Learn more about our legal services!
Tax laws are complex and dynamic. We face the challenge of tax law together with you - find out more.
Baker Tilly advises CFL on container vessel acquisition
US tariffs: Short term optimization – medium-term preparation
Germany’s Coalition Agreement and Tax Law – A Document to Fiscal Pragmatism
BAG overturns forfeiture clause for share options after termination
Art. 273a ZPO: More protection for trade secrets in civil proceedings
Social insurance obligation for freelance teachers only from 2027
Industry-specific knowledge is essential in order to create the best conditions for customised solutions. Find out …
Baker Tilly advises biotech startup Real Collagen GmbH investment by US investor
Energy study: Uncertainty slows down investments by industry and utilities in Germany
After ECJ ruling: Financial investors still have no direct access to medical care centers
Benefit from bundled interdisciplinary competencies, expert teams and individual solutions. Learn more!
Baker Tilly offers a wide range of individual and innovative consulting services. Find out more!
Cyber-attacks on public institutions, local authorities and companies have increased dramatically. Adequate cyber insurance cover is therefore essential. How to ensure that procurement is legally compliant and meets requirements.
Ransomware attacks, data theft and system failures not only cause high economic losses, but also jeopardize the smooth operation of authorities and critical infrastructures.
According to the latest “Report on the state of IT security in Germany 2024” by the German Federal Office for Information Security (BSI), the threat situation continues to escalate – especially for local authorities, universities and hospitals, which often have limited IT security resources. Critical incidents such as the cyber-attack on the district of Anhalt-Bitterfeld, in which the administration was temporarily unable to act, or the attack on Südwestfalen IT, which affected 72 municipalities, show how real this threat is. The consequences of such attacks are often noticeable for months.
In light of this threat situation, cyber insurance is rapidly gaining in importance. They not only offer financial protection, but also professional support through incident response services and digital forensics. However, while private companies can take out these policies individually, public clients are subject to the requirements of public procurement law.
The tender for cyber insurance must not only be in line with the market, but also legally compliant. In particular, the following key aspects must be taken into account:
Choosing the right procurement procedure is a crucial step for the legally and market-compliant procurement of cyber insurance. As this is a service procurement, it is subject to the provisions of the German Public Procurement Ordinance (VgV) and the German Sub-Threshold Procurement Ordinance (UVgO), while the Public Procurement Directive 2014/24/EU applies to Europe-wide procurements. The complexity and market dynamics of cyber insurance require a differentiated view of the possible procurement procedures.
The open procedure is the most frequently used procurement procedure and is suitable if the market offers a sufficient number of comparable insurance products. It is characterized by transparency and broad competition, but is less flexible as it does not allow subsequent negotiations with the tenderers. An alternative is the restricted procedure with competitive tendering. However, this procedure hardly plays a role in tenders for insurance contracts, as only very few tenderers take part in such calls for tenders anyway.
However, the negotiated procedure with prior publication or competitive dialog is particularly suitable for the tendering of cyber insurance policies. As cyber insurance policies are individually designed policies whose scope of cover and service components vary depending on the provider, this procedure offers the opportunity to enter into a dialog with the tenderers and to tailor the insurance solution to the contracting authority’s specific needs. The flexible design of this procedure allows adjustments to be made without the award losing transparency or legal certainty.
The choice of procurement procedure should therefore be carefully considered, as an overly restrictive procedure can result in unsuitable tenders or incomplete insurance cover.
In addition to choosing the right procedure, the service description plays a key role in a successful and legally compliant tender. As cyber insurance is not a standardized product and the market is constantly evolving, clients must formulate the requirements precisely without unnecessarily restricting competition. The service description should clearly define which risks are to be covered, such as hacker attacks, ransomware, data protection breaches or business interruption. It should also define the amount of damage covered per incident and per year and the extent to which a deductible is provided.
Another key aspect is the description of the risk situation. Cyber insurers assess the policyholder’s IT security measures as a decisive criterion for the premium structure and the scope of cover. Therefore, contracting authorities should already state in the tender which security requirements are met, for example, compliance with IT security standards such as ISO 27001 or BSI basic protection. In addition, prevention services and claims management should also be part of the risk information.
When compiling information for the risk assessment, it is important to know which questions are regularly asked by those insurers that generally offer cyber insurance cover for public clients. This is because it will hardly be possible to process the (very extensive) questionnaires of every single potential tenderer in a procurement procedure.
The services provided by an insurer and therefore part of the service description include incident response services, digital forensics and crisis management support. In the event of a cyber-attack, these services are crucial for the rapid recovery of systems.
A common mistake in calls for tenders is a specification that is either too restrictive or too general. A definition that is too narrow can lead to no provider submitting an economically viable offer, while a wording that is too open can make it difficult to compare offers. It is important to note that the standard terms and conditions of insurance companies vary greatly and often exceed 40 A4 pages. A thoughtful balance between a detailed specification and openness to the market is therefore essential. A clearly structured catalog of benefits with minimum requirements, supplemented by an evaluation matrix that takes appropriate account of qualitative differences, is recommended.
In the worst case, errors in the service description (and thus the content of the insurance contract to be concluded) can lead to gaps in cover and thus possibly to uncovered losses in the millions.
The evaluation of submitted tenders must not be based on price alone. Cyber insurance with inadequate cover or extensive exclusion clauses can entail considerable financial and operational risks for the client in the event of a claim. The evaluation should therefore be based on a balanced weighting of various criteria. In addition to the scope of cover and the loss scenarios covered, which should account for the largest share (around 40 percent), the quality of service and response times in the event of a claim are also crucial. In addition, the insurer's risk assessment must be taken into account in order to ensure that the premium amount is commensurate with the benefits offered.
A balanced evaluation process ensures that not only the price, but also the quality of the insurance solution is taken into account in the decision. This ensures that the contracting authority’s insurance cover is not only economically viable, but also commensurate with the risk and meets the special requirements for the protection of sensitive IT infrastructures.
When tendering for cyber insurance, errors under public procurement law occur time and again, which can lead not only to a delay in the award procedure, but in the worst case to its complete ineffectiveness. Unclear or contradictory service descriptions are particularly problematic, as they make it difficult to compare tenders and lead to misunderstandings among tenderers. This significantly increases the risk of review procedures, as unsuccessful tenderers can claim that their tenders were not evaluated on the basis of clear and transparent criteria.
Another problem area is the missing definition of the evaluation matrix and award criteria. Failure to clearly regulate the standards according to which the tenders are evaluated creates a considerable opportunity for unsuccessful tenderers to appeal. They can question the decision of the contracting authority by claiming that the award procedure was not carried out in a non-discriminatory or comprehensible manner. A transparent and clear evaluation matrix is essential, especially for cyber insurance, where not only the price but also qualitative aspects play a central role.
In addition, a subsequent amendment to the contract can have significant consequences under public procurement law. Significant modifications, for example, with regard to the scope of cover or the terms of the contract, can result in the original award being in breach of procurement law. This applies in particular if the changes relate to essential contract components that were specified in the invitation to tender. In the worst-case scenario, such changes can lead to the contract being declared invalid, which entails not only financial risks for the contracting authority, but also considerable organizational risks.
A legally compliant procurement procedure not only reduces the risk of lengthy legal disputes, but also ensures that the desired cyber insurance is procured efficiently and in compliance with legal requirements. In order to achieve this goal, it is crucial to clearly define all relevant requirements in the planning phase of the tender, select the right procurement procedure and establish a reliable evaluation matrix. This is the only way for clients to avoid the award decision being contested at a later stage and the process being delayed or even completely annulled by review procedures.
Cyber insurance is an indispensable part of comprehensive risk management for public sector clients. In view of the increasing cyber threats, authorities and public institutions must ensure that they are not only technically but also financially protected in the event of an attack. However, the tendering of such insurance products poses a particular challenge, as it must meet both the requirements of public procurement law and the dynamic developments in the insurance market.
Contracting authorities should therefore check the legal conditions for their planned cyber insurance procurement at an early stage and draw up a strategically well-planned call for tenders. This is the only way to ensure that the tendering process is legally compliant and efficient and results in an insurance solution that meets both financial and security requirements.
If you are a contracting authority and need assistance with the tendering process or have questions about the legal aspects of public procurement, we will be happy to support you with our expertise.
Dr. Christian Teuber
Partner
Attorney-at-Law (Rechtsanwalt), Specialist Lawyer for Public Procurement Law
Contact now
Contact us
View all news