Companies must consider ‘ripple effects’ of cyber-risk exposures

Risk managers must ensure that their companies’ IT departments are included in preparations to mitigate the impact of technology failures on supply chains and general operations, according to a Marsh research briefing.

Furthermore, outages and failures have the potential to cause significant loss of income, increase operating expenses and damage an organisation’s reputation, said Stella Tse (pictured), Marsh’s Financial and Professional Liability Practice (FINPRO) leader for Asia.

Tse added that this was especially true in Asia, “which is an integral link in any global supply chain these days”. “For example, if a cyber-attack shuts down a manufacturing facility, the ripple effects down the chain could be significant,” she said. “Companies need to consider a holistic approach to cyber and technology risks, including cyber insurance and supply-chain resiliency planning.”

Hong Kong-based Tse said firms in the region needed to look beyond data privacy. “Supply-chain disruption and business interruption from IT outages are critical issues companies should consider when assessing their cyber-risk exposures,” she said.

The Cyber Risks Extend Beyond Data and Privacy Exposures research briefing suggests that frequent communication between risk and IT professionals can help both functions to better understand their organisation’s risks, and to respond quickly and effectively when technology fails. “No business can inoculate itself against all risk of technology failure,” it states, “but with effective planning inside a comprehensive risk-management programme, businesses can better prepare for IT outages and minimise their impact on business operations, revenues and reputations.”

The briefing goes on to state that, historically, cyber-insurance coverage was only triggered when insureds were the victims of data breaches or hacking attacks. However, it says, many policies now provide coverage for a broad range of technology failures and outages.

“Given recent SEC [US Securities and Exchange Commission] guidance related to cyber risks, risk managers need to be prepared to answer questions from their directors and officers about whether the firm’s insurance coverage provides adequate protection in the event an incident occurs,” the briefing advises. “It will be important for risk managers to explain that the rapid evolution of privacy and security risks means that many traditional forms of insurance may not be able to adequately respond to these exposures.”

Marsh recommends that businesses take several steps before any IT outage occurs to prepare for disruptions and mitigate their potential business impact. These include determining the criticality of various IT systems to ongoing operations and whether alternatives were available or enhanced protection was possible; developing and testing business-continuity and crisis-management plans; and evaluating claims preparation and management plans.