CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | December 20189CIOReviewfailure or data breach. They included easily calculated risks such as fines and penalties related to a data breach and cyber extortion to more difficult to quantify risks such as losses of intellectual property and data asset loss/damage.These concerns aren't just for tech companies. Technology is integrated into nearly all products and services in our lives: restaurants offer online reservations, manufacturing is increasingly reliant on automation and controls managed throughthe internet of things (IoT), and retailers rely on increasingly on online sales and digital customer engagement. A technology failure can bring down companies in nearly every industry.The insurance industry has developed insurance solutions that respond to a wide range of losses from a technology failure or cyber-attack.Many, although not all, of these new exposures can be insured today--especially through technology errors and omissions and cyber policies. The most notable exposures that can be covered include:· Privacy/data breach ­ readily available and can include preventative risk consulting to help reduce the risk.· Cyber extortion/ransomware ­ widely available in most markets and includes services to investigate and evaluate the threat. When included in a broad cyber policy, it can also include remedies for any system damage.· Data asset loss/damage ­ typically will cover the costs associated with the recovery, re-creation and repair of lost or damaged data. The risk of loss of revenue associated with the data interruption can be covered by non-physical damage business interruption insurance.· Non-physical damage, business interruption, extra expense -more policies are now covering the costs associated with these interruptions from the onset of the interruption rather than after a specified period of time. · Non-physical damage event at a supplier leading to business interruption or extra expense ­ as these events are more difficult to demonstrate a loss and to insure,many carriers are limiting this coverage toIT vendors.· Intellectual property infringement ­ can be covered under media liability policy, but first party coverage typically is not offered and patent protection is generally excluded.· Regulatory fines and penalties ­ coverage for fines tied to a privacy breach is generally available where allowed by law.The key to properly insuring and mitigating data risks is to first dig much deeper than headlines on data breaches. CIOs should understand how data loss and damage can lead to fundamental damage to their company's business modelswhich are likely uninsurable. First-party Insurance is designed to cover an insured's own losses. It is not designed to repair intangible damage to the company's reputation or projected lost future revenue opportunities. Jumping back to the founding days of insurance ­ those marine underwriters would reimburse you for the insured value of cargo stolen by pirates, but couldn't help you if customers no longer used your ships because you had a reputation for getting attacked by pirates. You can insure your cargo. You can't always directly insure your reputation and future revenue sources.The costs of repairing damaged data, the fines related to a data breach, and even lost revenue due to system outages can be insured and recouped. However, the aggregate value of customer experience data is far more important,yetits loss is not as readily insurable. The intangible value of the insights gained from such customer data is one of the main reasons you are collecting it.Consider what might happen if your carefully curated data was destroyed, damaged or breached:· Customers might lose trust in your business, becoming less likely to use your services and share additional data with you.· Governments and regulators could impose additional restrictions on what data you can collect and how your business can operate.· During your recovery process, you might not be able to collect data that would allow you to identify key insights that affect your business, putting you behind your data-savvy competitors.All of these outcomes would be detrimental to your business, but are not insurable. To understand how and how much to invest in measures to prevent, detect andrespond,CIOs and CISOs need to work together with risk managers to understandhow cyber and other tech risks can manifest themselves and how these risks can be managed. Risks that cannot be mitigated through insurance are those that can only be addressed with operational security measuresin accordance with the risk appetite of the firm. We use powerful technology to enhance human potential, while knowing that nothing will ever beat the human spirit and instinctScott Gilbert
< Page 8 | Page 10 >