Business Interruption RIsk

Protecting Data Supply Chains

The biggest risk for many companies is a cyber attack to a third-party data vendor. Insurers are taking note, but gaps in cover remain.
By: | May 2, 2017 • 5 min read

Companies in all sectors are outsourcing data management to third-party vendors and cloud providers. U.S. data centers generated revenues exceeding $100 billion in 2015, and Research and Markets projected the data outsourcing market will grow at more than 5 percent annually until 2021.

Advertisement




Meanwhile, International Data Corp. predicted global spending on public cloud computing will more than double to $195 billion in 2020, from $96 billion in 2016, and that the number of new cloud-based solutions will triple over the next four to five years.

While risk managers and insurers have a good grip on the risks posed to employee or customer data, less attention has been paid to the business interruption (BI) risks companies could face if a third-party vendor’s service is compromised.

A cyber attack on a vendor could result in a company being denied access to data or the malicious destruction or modification of its data, said Joe Pennell, partner in Mayer Brown’s technology transactions practice.

For certain industries, the interruption of data flow could result in a shutdown, preventing production or the transfer of money. In sectors such as manufacturing, this scenario could be much more financially damaging than a privacy breach.

Data Supply Chains

While some cyber risk is unavoidable, organizations can take steps to strengthen their data supply chains. The first, said Shiraz Saeed, cyber national practice leader for Starr Cos., is to conduct a thorough audit of their own computer networks to establish every potential touchpoint where they could be exposed.

If possible, this should extend to the contingent BI (CBI) exposures of key suppliers that might be impacted if their own vendors suffer an attack or outage.

Shiraz Saeed, cyber national practice leader, Starr Cos.

According to PwC, 74 percent of companies in 2015 didn’t have a complete inventory of all third parties that handle customer and employee data, and 73 percent lacked incident response processes to report and manage breaches to these third parties.

While a company may have many network exposure points, the data vendor is usually the most important as it may have direct responsibility for business-critical data. Selecting the right vendor is therefore crucial, as is conducting due diligence and risk assessments on them.

Companies should ask to see documentation relating to the vendor’s redundancies and disaster recovery procedures, and talk to other customers to corroborate any assurances the vendor offers in the negotiating process “just as you would when you make any other important purchase,” Saeed said.

Pennell also urged firms to watch news alerts on data suppliers, conduct audit questionnaires, and send written correspondence demanding that any identified problems be fixed.

Ensuring contracts are watertight and favorable is also an important step.

“Security failures and privacy events can happen, so you should determine a mutual, amicable exchange in the event of an incident, just as you would for a slip and fall, and this should be outlined in the contract,” Saeed said. “Vendors are your partners and shouldn’t hold you responsible for everything.”

Mayer Brown partner Brad Peterson added that companies should build contracts with clear, enforceable commitments, options and incentives.

“In addition to business continuity and backup requirements, the contract should require third-party certifications such as ISO 27000 certification or ISAE 3402 audit reports, notice of data security incidents, and early warnings on technical and financial risks,” he said.

Incident Response

It is also essential companies have their own “Plan B” in case a vendor’s service is interrupted.

Steve Bridges, SVP, cyber/E&O practice, JLT Specialty USA

“Maintain backups of key data under your control or control of a separate supplier. Have alternate sources for necessary data feeds, and leverage technologies such as blockchain where possible to reduce the risk of malicious modification,” Peterson said.

Steve Bridges, SVP of the cyber/E&O practice at JLT Specialty USA, urged all organizations to develop and test response plans to ensure they are prepared for potential data interruption.

“Companies should have procedures in place and work through those plans so it is clear who gets called, when, and what resources need to be brought in to deal with the situation,” he said, adding that steps like this will also help companies negotiate terms with their insurers.

“Vendors are your partners and shouldn’t hold you responsible for everything.” — Shiraz Saeed, cyber national practice leader, Starr Cos.

“We look at an organization’s overall cyber security and maturity, and really dig into their response, recovery and continuity plans,” said Saeed, adding: “It’s not about finding risks that are impenetrable, but those that turn themselves from soft targets to hard targets.”

Insurance Coverage

Cyber CBI cover can theoretically be obtained under three types of policy — stand-alone cyber, property (typically covering only physical losses from an interruption), and kidnap & ransom (for ransomware attacks).

“Insureds must identify where there are overlaps and gaps between different types of policies, and dovetail their coverage so they know what is covered and excluded in each policy,” said Jill Dalton, managing director at Aon Risk Consulting.

She noted that property underwriters typically put sublimits on cyber CBI coverage, and often exclude it altogether.

Some policies will respond, added Bridges, but the insured has to be down for an agreed number of hours before coverage kicks in.

A further concern for underwriters is the aggregation of risk within their portfolios if numerous insureds are using the same data vendor.

Paul Bantick, Beazley’s technology media and business services focus group leader, said collaboration between cyber and property underwriters is needed.

“People have been addressing the issue of risk accumulation in property BI policies for years and we should work with property underwriters to come up with solutions.”

Advertisement




According to Bantick, the last year has seen a number of cyber insurers offer CBI cover with no sublimit. Beazley itself is one of the few insurers developing “holistic” cyber coverages that effectively provide cover for all risks, including CBI.

“Manufacturing, industrial, energy and marine-type accounts, which haven’t historically bought cyber cover, are now coming to market. BI issues are the main drivers of demand, and they want full limits, without having to rely on being covered under another policy,” Bantick said.

He predicted that CBI will eventually be standard in cyber policies for these industries. Whether that happens across the board is unclear, but at least those who need it can now access protection from selected carriers.

“Most people in our industry understand that network interruption claims are going to increase and there will be growing demand for better, broader coverage,” said Bridges. &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

Verizon’s risk manager David Cammarata loves when his team can make a real impact on the bottom line.
By: | May 2, 2017 • 4 min read

R&I: What was your first job?

I was a financial analyst with the N.J. Casino Control Commission.

R&I: How did you come to work in risk management?

I was told at a Christmas luncheon in 2003 that I was being promoted into a new job.

R&I: What is the risk management community doing right?

Advertisement




I think the risk management community is getting a lot better at utilizing big data and analytics to manage risk. Significant improvements have been made, but there is still much more room for improvement.

R&I: What could the risk management community be doing a better job of?

I think that the insurance and brokerage communities need to really start thinking about what this industry is going to look like in 10 years. They need to start addressing how they are going to remain relevant. I think that major disruptions to existing business models will occur and that these disruptions combined with innovation and technological advances may catch many of today’s industry leaders by surprise.

David Cammarata, assistant treasurer, risk management and insurance, Verizon Communications Inc.

R&I: What was the best location and year for the RIMS conference and why?

San Diego, any year.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?

I think the advent of cyber risk and cyber insurance. For several years it has been, and it continues to be, the main topic of discussion at industry meetings.

R&I: What emerging commercial risk most concerns you?

Advertisement




Advertisement




I think the most scary scenarios include a nuclear, biological, chemical or radiological event, a widespread global health epidemic and/or a widespread state sponsored cyber shutdown.

R&I: How much business do you do direct versus going through a broker?

We do almost all of our business through a broker.

R&I: Is the contingent commission controversy overblown?

No. It’s a conflict.

R&I: Are you optimistic about the U.S. economy or pessimistic and why?

Optimistic because hopefully President Trump’s policies (lower taxes and less regulation) will be pro-business and good for the economy.

R&I: Who is your mentor and why?

My dad, who passed away many years ago. He was very influential during the formative years of my career. He taught me how important integrity and reputation were to your brand and he had a very strong work ethic.

R&I: What have you accomplished that you are proudest of?

I would have to say raising two awesome kids. My daughter is graduating from James Madison University this year as co-valedictorian. My son is finishing his sophomore year at Rutgers and has near perfect grades. But more importantly, both of my kids have turned out to be really good people.

R&I: How many emails do you get in a day?

A lot.

“I love it when the risk management organization is able to contribute in a way that makes a real impact to the corporation’s overall objectives. On several occasions we have been able to make real contributions to the bottom line.”

R&I: What is your favorite book or movie?

“My Cousin Vinny.” That movie makes me laugh no matter how many times I watch it.

R&I: What’s the best restaurant you’ve ever eaten at?

Advertisement




Advertisement




My dad used to take me to a place called Chick & Nello’s. It was an Italian place that did not have a menu. They came to your table and told you the two or three items they were making that day. The food was out of this world.

R&I: What is your favorite drink?

Iced tea. The non-alcoholic kind.

R&I: What is the most unusual/interesting place you have ever visited?

I can think of several places but for me it would be a tie between India and Italy. India just has such a different culture and way of life and Rome has breathtaking historical sites.

R&I: What is the riskiest activity you ever engaged in?

Well, one of the best thrill rides I’ve been on was Kingda Ka at Great Adventure. It feels risky but probably isn’t all that risky. I flew in a prop plane with my brother-in-law one time … that felt kind of risky. I have also parasailed, does that count? I think it definitely has to be driving on the N.J. Turnpike day in and day out.

R&I: If the world has a modern hero, who is it and why?

Advertisement




What about the Fukushima 50? I don’t think I could have done what they did.

R&I: What about this work do you find the most fulfilling or rewarding?

I love it when the risk management organization is able to contribute in a way that makes a real impact to the corporation’s overall objectives. On several occasions we have been able to make real contributions to the bottom line.

R&I: What do your friends and family think you do?

I don’t think they really know. My children see me as dad; others just see me as an executive with Verizon.




Katie Siegel is a staff writer at Risk & Insurance®. She can be reached at [email protected]