Protecting Data Supply Chains
Companies in all sectors are outsourcing data management to third-party vendors and cloud providers. U.S. data centers generated revenues exceeding $100 billion in 2015, and Research and Markets projected the data outsourcing market will grow at more than 5 percent annually until 2021.
Meanwhile, International Data Corp. predicted global spending on public cloud computing will more than double to $195 billion in 2020, from $96 billion in 2016, and that the number of new cloud-based solutions will triple over the next four to five years.
While risk managers and insurers have a good grip on the risks posed to employee or customer data, less attention has been paid to the business interruption (BI) risks companies could face if a third-party vendor’s service is compromised.
A cyber attack on a vendor could result in a company being denied access to data or the malicious destruction or modification of its data, said Joe Pennell, partner in Mayer Brown’s technology transactions practice.
For certain industries, the interruption of data flow could result in a shutdown, preventing production or the transfer of money. In sectors such as manufacturing, this scenario could be much more financially damaging than a privacy breach.
Data Supply Chains
While some cyber risk is unavoidable, organizations can take steps to strengthen their data supply chains. The first, said Shiraz Saeed, cyber national practice leader for Starr Cos., is to conduct a thorough audit of their own computer networks to establish every potential touchpoint where they could be exposed.
If possible, this should extend to the contingent BI (CBI) exposures of key suppliers that might be impacted if their own vendors suffer an attack or outage.
According to PwC, 74 percent of companies in 2015 didn’t have a complete inventory of all third parties that handle customer and employee data, and 73 percent lacked incident response processes to report and manage breaches to these third parties.
While a company may have many network exposure points, the data vendor is usually the most important as it may have direct responsibility for business-critical data. Selecting the right vendor is therefore crucial, as is conducting due diligence and risk assessments on them.
Companies should ask to see documentation relating to the vendor’s redundancies and disaster recovery procedures, and talk to other customers to corroborate any assurances the vendor offers in the negotiating process “just as you would when you make any other important purchase,” Saeed said.
Pennell also urged firms to watch news alerts on data suppliers, conduct audit questionnaires, and send written correspondence demanding that any identified problems be fixed.
Ensuring contracts are watertight and favorable is also an important step.
“Security failures and privacy events can happen, so you should determine a mutual, amicable exchange in the event of an incident, just as you would for a slip and fall, and this should be outlined in the contract,” Saeed said. “Vendors are your partners and shouldn’t hold you responsible for everything.”
Mayer Brown partner Brad Peterson added that companies should build contracts with clear, enforceable commitments, options and incentives.
“In addition to business continuity and backup requirements, the contract should require third-party certifications such as ISO 27000 certification or ISAE 3402 audit reports, notice of data security incidents, and early warnings on technical and financial risks,” he said.
It is also essential companies have their own “Plan B” in case a vendor’s service is interrupted.
“Maintain backups of key data under your control or control of a separate supplier. Have alternate sources for necessary data feeds, and leverage technologies such as blockchain where possible to reduce the risk of malicious modification,” Peterson said.
Steve Bridges, SVP of the cyber/E&O practice at JLT Specialty USA, urged all organizations to develop and test response plans to ensure they are prepared for potential data interruption.
“Companies should have procedures in place and work through those plans so it is clear who gets called, when, and what resources need to be brought in to deal with the situation,” he said, adding that steps like this will also help companies negotiate terms with their insurers.
“Vendors are your partners and shouldn’t hold you responsible for everything.” — Shiraz Saeed, cyber national practice leader, Starr Cos.
“We look at an organization’s overall cyber security and maturity, and really dig into their response, recovery and continuity plans,” said Saeed, adding: “It’s not about finding risks that are impenetrable, but those that turn themselves from soft targets to hard targets.”
Cyber CBI cover can theoretically be obtained under three types of policy — stand-alone cyber, property (typically covering only physical losses from an interruption), and kidnap & ransom (for ransomware attacks).
“Insureds must identify where there are overlaps and gaps between different types of policies, and dovetail their coverage so they know what is covered and excluded in each policy,” said Jill Dalton, managing director at Aon Risk Consulting.
She noted that property underwriters typically put sublimits on cyber CBI coverage, and often exclude it altogether.
Some policies will respond, added Bridges, but the insured has to be down for an agreed number of hours before coverage kicks in.
A further concern for underwriters is the aggregation of risk within their portfolios if numerous insureds are using the same data vendor.
Paul Bantick, Beazley’s technology media and business services focus group leader, said collaboration between cyber and property underwriters is needed.
“People have been addressing the issue of risk accumulation in property BI policies for years and we should work with property underwriters to come up with solutions.”
According to Bantick, the last year has seen a number of cyber insurers offer CBI cover with no sublimit. Beazley itself is one of the few insurers developing “holistic” cyber coverages that effectively provide cover for all risks, including CBI.
“Manufacturing, industrial, energy and marine-type accounts, which haven’t historically bought cyber cover, are now coming to market. BI issues are the main drivers of demand, and they want full limits, without having to rely on being covered under another policy,” Bantick said.
He predicted that CBI will eventually be standard in cyber policies for these industries. Whether that happens across the board is unclear, but at least those who need it can now access protection from selected carriers.
“Most people in our industry understand that network interruption claims are going to increase and there will be growing demand for better, broader coverage,” said Bridges. &