As a recent Marsh report outlines, although data privacy issues may be top of mind for organizations as they manage cyber risks, there are other, potentially more severe, cyber threats. For example, companies are becoming more concerned about dependent business interruption, especially resulting from failures of technology outsourcing and cloud-computing service providers.
Consider these points:
- Unplanned information technology (IT) or telecom outages are the most debilitating source of supply chain disruption, outpacing adverse weather, earthquakes, product contamination, and transportation disruptions, according to the Business Continuity Institute’s (BCI) Supply Chain Resilience 2012 report.
- Although cyber insurance policies have historically been triggered primarily by data breaches and hacking attacks, many now provide coverage for a broad range of technology failures and outages.
- Recent SEC guidance related to cyber risks means that risk managers need to be prepared to answer questions from their directors and officers about whether the firm’s insurance coverage provides adequate protection in the event an incident occurs. It will be important for risk managers to explain that the rapid evolution of privacy and security risks means that many traditional forms of insurance may not be able to adequately respond to these exposures.
Cyber insurance coverage, which really didn’t exist before 1998, continues to evolve and now clearly addresses the needs of organizations across a wide spectrum of industries.
And while privacy coverage still leads the way, we have seen business interruption coverage evolve dramatically in the last few years — from coverage limited to lost revenue associated with a computer attack that brought down a website to policies that provide coverage for lost revenue due to an outage of computer systems resulting from a technology failure. Cyber policies can bridge the gap between what traditional property and casualty policies covered and the ever-changing and growing risks companies face as their use of technology and information expands.
The purchase of cyber insurance is just one part of a well-planned and effective risk management program that also includes policies and protocols to prevent and mitigate technology risks. And like the risks themselves, the solutions — from mitigation to risk transfer to recovery — continue to evolve and grow more robust.