Business Interruption RIsk

Protecting Data Supply Chains

The biggest risk for many companies is a cyber attack to a third-party data vendor. Insurers are taking note, but gaps in cover remain.
By: | May 2, 2017 • 5 min read

Companies in all sectors are outsourcing data management to third-party vendors and cloud providers. U.S. data centers generated revenues exceeding $100 billion in 2015, and Research and Markets projected the data outsourcing market will grow at more than 5 percent annually until 2021.

Advertisement




Meanwhile, International Data Corp. predicted global spending on public cloud computing will more than double to $195 billion in 2020, from $96 billion in 2016, and that the number of new cloud-based solutions will triple over the next four to five years.

While risk managers and insurers have a good grip on the risks posed to employee or customer data, less attention has been paid to the business interruption (BI) risks companies could face if a third-party vendor’s service is compromised.

A cyber attack on a vendor could result in a company being denied access to data or the malicious destruction or modification of its data, said Joe Pennell, partner in Mayer Brown’s technology transactions practice.

For certain industries, the interruption of data flow could result in a shutdown, preventing production or the transfer of money. In sectors such as manufacturing, this scenario could be much more financially damaging than a privacy breach.

Data Supply Chains

While some cyber risk is unavoidable, organizations can take steps to strengthen their data supply chains. The first, said Shiraz Saeed, cyber national practice leader for Starr Cos., is to conduct a thorough audit of their own computer networks to establish every potential touchpoint where they could be exposed.

If possible, this should extend to the contingent BI (CBI) exposures of key suppliers that might be impacted if their own vendors suffer an attack or outage.

Shiraz Saeed, cyber national practice leader, Starr Cos.

According to PwC, 74 percent of companies in 2015 didn’t have a complete inventory of all third parties that handle customer and employee data, and 73 percent lacked incident response processes to report and manage breaches to these third parties.

While a company may have many network exposure points, the data vendor is usually the most important as it may have direct responsibility for business-critical data. Selecting the right vendor is therefore crucial, as is conducting due diligence and risk assessments on them.

Companies should ask to see documentation relating to the vendor’s redundancies and disaster recovery procedures, and talk to other customers to corroborate any assurances the vendor offers in the negotiating process “just as you would when you make any other important purchase,” Saeed said.

Pennell also urged firms to watch news alerts on data suppliers, conduct audit questionnaires, and send written correspondence demanding that any identified problems be fixed.

Ensuring contracts are watertight and favorable is also an important step.

“Security failures and privacy events can happen, so you should determine a mutual, amicable exchange in the event of an incident, just as you would for a slip and fall, and this should be outlined in the contract,” Saeed said. “Vendors are your partners and shouldn’t hold you responsible for everything.”

Mayer Brown partner Brad Peterson added that companies should build contracts with clear, enforceable commitments, options and incentives.

“In addition to business continuity and backup requirements, the contract should require third-party certifications such as ISO 27000 certification or ISAE 3402 audit reports, notice of data security incidents, and early warnings on technical and financial risks,” he said.

Incident Response

It is also essential companies have their own “Plan B” in case a vendor’s service is interrupted.

Steve Bridges, SVP, cyber/E&O practice, JLT Specialty USA

“Maintain backups of key data under your control or control of a separate supplier. Have alternate sources for necessary data feeds, and leverage technologies such as blockchain where possible to reduce the risk of malicious modification,” Peterson said.

Steve Bridges, SVP of the cyber/E&O practice at JLT Specialty USA, urged all organizations to develop and test response plans to ensure they are prepared for potential data interruption.

“Companies should have procedures in place and work through those plans so it is clear who gets called, when, and what resources need to be brought in to deal with the situation,” he said, adding that steps like this will also help companies negotiate terms with their insurers.

“Vendors are your partners and shouldn’t hold you responsible for everything.” — Shiraz Saeed, cyber national practice leader, Starr Cos.

“We look at an organization’s overall cyber security and maturity, and really dig into their response, recovery and continuity plans,” said Saeed, adding: “It’s not about finding risks that are impenetrable, but those that turn themselves from soft targets to hard targets.”

Insurance Coverage

Cyber CBI cover can theoretically be obtained under three types of policy — stand-alone cyber, property (typically covering only physical losses from an interruption), and kidnap & ransom (for ransomware attacks).

“Insureds must identify where there are overlaps and gaps between different types of policies, and dovetail their coverage so they know what is covered and excluded in each policy,” said Jill Dalton, managing director at Aon Risk Consulting.

She noted that property underwriters typically put sublimits on cyber CBI coverage, and often exclude it altogether.

Some policies will respond, added Bridges, but the insured has to be down for an agreed number of hours before coverage kicks in.

A further concern for underwriters is the aggregation of risk within their portfolios if numerous insureds are using the same data vendor.

Paul Bantick, Beazley’s technology media and business services focus group leader, said collaboration between cyber and property underwriters is needed.

“People have been addressing the issue of risk accumulation in property BI policies for years and we should work with property underwriters to come up with solutions.”

Advertisement




According to Bantick, the last year has seen a number of cyber insurers offer CBI cover with no sublimit. Beazley itself is one of the few insurers developing “holistic” cyber coverages that effectively provide cover for all risks, including CBI.

“Manufacturing, industrial, energy and marine-type accounts, which haven’t historically bought cyber cover, are now coming to market. BI issues are the main drivers of demand, and they want full limits, without having to rely on being covered under another policy,” Bantick said.

He predicted that CBI will eventually be standard in cyber policies for these industries. Whether that happens across the board is unclear, but at least those who need it can now access protection from selected carriers.

“Most people in our industry understand that network interruption claims are going to increase and there will be growing demand for better, broader coverage,” said Bridges. &

Antony Ireland is a London-based financial journalist. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

This senior risk manager values his role in helping Varian Medical Systems support research and technologies in the fight against cancer.
By: | September 12, 2017 • 5 min read

R&I: What was your first job?

When I was 15 years old I had a summer job working for the city of Plentywood, mowing grass in the parks and ballfields, emptying garbage cans, hauling waste to the dump, painting crosswalk lines.  A great job for a teenager but I thought getting a college degree and working in an air-conditioned office would be a good plan long term.

R&I: How did you come to work in risk management?

I was enrolled in the University of Montana as a general business student, and I wanted to declare a more specialized major during my sophomore year. I was working for my dad at his insurance agency over the summer, and taking new agent training coursework on property/casualty risks in my spare time, so I had an appreciation for insurance. My dad suggested I research risk management for a career, and I transferred sight unseen to the University of Georgia to enroll in their risk management program. I did an internship as a senior with the risk management department at Sulzer Medica, and they offered me a full time job.

R&I: What could the risk management community be doing a better job of?

Advertisement




We need to do a better job of saying yes. We tend to want to say no to many risks, but there are upside benefits to some risks. If we initiate a collaborative exercise with the risk owners — people who may have unique knowledge about that particular risk — and include a cross section of people from other corporate functions, you can do an effective job of taking the risk apart to analyze it, figure out a way to manage that exposure, and then reap the upside benefits while reducing the downside exposure. That can be done with new products and new service offerings, when there isn’t coverage available for a risk. It’s asking, is there anything we can do to reduce the risk without transferring it?

R&I: What emerging commercial risk most concerns you?

Cyber liability. There’s so much at stake and the bad guys are getting more resourceful every day. At Varian, our first approach is to try to make our systems and products more resilient, so we’re trying to direct resources to preventing it from happening in the first place. It’s a huge reputation risk if one of our products or systems were compromised, so we want to avoid that at all costs.

We need to do a better job of saying yes. We tend to want to say no to many risks, but there are upside benefits to some risks.

R&I: What insurance carrier do you have the highest opinion of?

I’ve worked with a number of great ones over the years. We’ve enjoyed a great property insurance relationship with Zurich. Their loss control services are very valuable to us. On the umbrella liability side, it’s been great partnering with companies like Swiss Re and Berkley Life Sciences because they’ve put in the time and effort to understand our unique risk exposures.

R&I: How much business do you do direct versus going through a broker?

One hundred percent through a broker. I view our broker as an extension of our risk management team. We benefit from each team member’s respective area of expertise and experience.

R&I: Is the contingent commission controversy overblown?

Advertisement




I think so. The brokers were kind of villainized by Spitzer. I think it’s fair for brokers and insurers to make a reasonable profit, and if a portion of their profit came from contingent commissions, I’m fine with that. But I do appreciate the transparency and disclosure that came out as a result of the fiasco.

R&I: Are you optimistic about the US economy or pessimistic and why?

David Collins, Senior Manager, Risk Management, Varian Medical Systems Inc.

While we might be doing fine here in the U.S. from an economic perspective, the Middle East is a mess, and we’re living with nuclear threat from North Korea. But hope springs eternal, so I’m cautiously optimistic. I’m hoping saner minds prevail and our leaders throughout the world work together to make things better.

R&I: Who is your mentor and why?

My Dad got me started down the insurance and risk path. I’ve also been fortunate to work for or with a number of University of Georgia alumni who’ve been mentors for me. I’ve worked side by side with Karen Epermanis, Michael Rousseau, and Elisha Finney. And I’ve worked with Daniel Dean in his capacity as a broker.

R&I: What have you accomplished that you are proudest of?

Advertisement




Raising my kids. I have a 15-year-old and 12-year-old, and they’re making mom and dad proud of the people they’re turning into.

On a professional level, a recent one would be the creation and implementation of our global travel risk program, which was a combined effort between security, travel and risk functions.

We have a huge team of service personnel around the world, traveling to customer sites to do maintenance and repair. We needed a way to track, monitor and communicate with them. We may need to make security arrangements or vet their lodging in some circumstances.

R&I: What do your friends and family think you do?

My 12-year-old son thought my job responsibilities could be summed up as a “professional worrier.” And that’s not too far off.

R&I: What about this work do you find the most fulfilling or rewarding?

Varian’s mission is to focus energy on saving lives. Proper administration of the risk function puts the company in a better position to financially support research that improves products and capabilities, helps to educate health care providers and support cancer care in general. It means more lives saved from a terrible disease. I’m proud to contribute toward that.

When you meet someone whose cancer has been successfully treated with one of our products, it’s a powerful reward.




Katie Siegel is an associate editor at Risk & Insurance®. She can be reached at [email protected]