The interruption of data flow could result in system shutdown, preventing production or the transfer of money.
Protecting Data Supply Chains
The biggest risk for
many companies is a
cyber attack to a third-party data vendor.
Insurers are taking
note, but gaps in cover
By Antony Ireland
Companies in all sectors are outsourcing data management to third- party vendors and cloud providers. U.S. data centers generated revenues exceeding $100 billion in 2015, and Research and Markets projected the data outsourcing market will grow at more than 5 percent annually until 2021.
Meanwhile, International Data Corp. predicted global spending on public
cloud computing will more than double to $195 billion in 2020, from $96 billion
in 2016, and that the number of new cloud-based solutions will triple over the
next four to five years.
While risk managers and insurers have a good grip on the risks posed to
employee or customer data, less attention has been paid to the business interruption
(BI) risks companies could face if a third-party vendor’s service is compromised.
A cyber attack on a vendor could result in a company being denied access to
data or the malicious destruction or modification of its data, said Joe Pennell,
partner in Mayer Brown’s technology transactions practice.
For certain industries, the interruption of data flow could result in a shutdown,
preventing production or the transfer of money. In sectors such as manufacturing,
this scenario could be much more financially damaging than a privacy breach.
DATA SUPPLY CHAINS
While some cyber risk is unavoidable, organizations can take steps to strengthen
their data supply chains. The first, said Shiraz Saeed, cyber national practice leader
for Starr Cos., is to conduct a thorough audit of their own computer networks to
establish every potential touchpoint where they could be exposed.
If possible, this should extend to the contingent BI (CBI) exposures of key
suppliers that might be impacted if their own vendors suffer an attack or outage.
According to PwC, 74 percent of companies in 2015 didn’t have a complete
inventory of all third parties that handle customer and employee data, and 73
percent lacked incident response processes to report and manage breaches to
these third parties.
While a company may have many network exposure points, the data vendor is
usually the most important as it may have direct responsibility for business-critical
data. Selecting the right vendor is therefore crucial, as is conducting due diligence
and risk assessments on them.
Companies should ask to see documentation relating to the vendor’s
redundancies and disaster recovery procedures, and talk to other customers to
corroborate any assurances the vendor offers in the negotiating process “just as
you would when you make any other important purchase,” Saeed said.
Pennell also urged firms to watch news alerts on data suppliers, conduct audit
questionnaires, and send written correspondence demanding that any identified
problems be fixed.
Ensuring contracts are watertight and favorable is also an important step.
“Security failures and privacy events can happen, so you should determine a
mutual, amicable exchange in the event of an incident, just as you would for a slip
and fall, and this should be outlined in
the contract,” Saeed said. “Vendors are
your partners and shouldn’t hold you
responsible for everything.”
Mayer Brown partner Brad Peterson
added that companies should build
contracts with clear, enforceable
commitments, options and incentives.
“In addition to business continuity
and backup requirements, the contract
should require third-party certifications
such as ISO 27000 certification or
ISAE 3402 audit reports, notice of data
security incidents, and early warnings
• Data can be inaccessible or
destroyed if a company’s vendor
suffers a cyber attack.
• Companies should keep backups
of key data.
• There can be policy gaps
and overlaps when seeking
coverage for contingent business
Mitigating Data Supply Chain Risk
• Identify all touchpoints in a computer network.
• Conduct thorough due diligence on third-party vendors.
• Ensure contracts are favorable and clear.
• Design and test incident response plans.
• Consider routing backup data to an additional vendor.
• Check if cyber cover includes contingent business interruption.
• Work with brokers to obtain maximum limits.