Addressing the press around 10 years ago, former U.S. Secretary of State Donald Rumsfeld offered a terse explanation of how the U.S. security establishment evaluates risks. His somewhat inarticulate remarks about “known knowns” and “known unknowns” quickly became the subject of ridicule.
But beneath the tangled verbiage lies an important point that every IT organization should take to heart in their disaster recovery planning. Planning for disaster is an inexact science: there are many things you know you don’t know. Some argue that in the IT world, breaches, disasters, downtime — whatever you fear most —can and will occur, and that your planning should be built on that assumption.
Robert Beggs, CEO of Digital Defence, Inc., a Burlington, Ont.-based IT security firm, spoke about these necessary assumptions in an interview prior to his presentation at the recent World Conference on Disaster Management, held in Toronto at the end of June.
“Most people look at data security breaches as a unique, specific incident,” he says. “It is occurred, resolved with, and carry on. What I want to do is propose that they look at it as part of business management. In the sense that instead of saying, ‘will it or will it not happen to us? How prepared are we?’ say right from step number one: ‘We’re going to suffer a security breach.’ Because there are too many actors, there are too many techniques for compromising data available.”
And when you know something bad is going to happen — for instance, everybody should expect to get into at least one car accident in their lives— but don’t know when it’s going to happen, there is something most normally do: buy insurance.
Insured: anything and everything
In the world of disaster recovery and business continuity, risk assessments and insuring against those risks should be of paramount importance in your strategy, says Wendy Hayko, President of ActionReady, a company based in Whitby, Ontario that helps clients prepare DR/BC plans, understand the impact of risks and how to mitigate them and, as she puts it, “making sure that when you’re dealing with those risks that you’re getting some kind of operational increase from it.”
Her company offers exercises to test DR plans for clients from the full range of industry sectors, from the private sector to government departments and NGOs. One key thing ActionReady tries to determine is how companies can save money by tying their DR to their most valuable insured resources. This is especially important for IT firms. Hardware, server recovery, data: “That kind of thing tends to cost a fair bit of money,” Hayko says.
“That’s where a lot of the costs end up showing up very quickly when you do have a business interruption event.”
For some companies, data itself is their most valuable asset, rather than physical servers, storage appliances or printers. So, is data a tangible entity that can be insured?
Absolutely, says Pete Karageorgos, manager of consumer and industry relations at the Insurance Bureau of Canada.
“You can basically insure anything,” says Karageorgos. “You can insure anything and everything — the cost is, ultimately, the cost or the price of the policy.”
Hayko says if your organization’s main line of business is gathering or analyzing data and you can quantity its value somehow, it can certainly be included in your business interruption insurance as an asset. It’s important here to determine, for example, “how much money you make from each unit of data, whether that’s megabytes or number of customers recorded,” she says.
“The other thing you can do with data is you can cover cost recovery of data as part of your extra expenses insurance, “Hayko adds. “Knowing what those costs are ahead of time will deduce the cost of that extra expenditure.”
While considered property (and thus not directly covered by business interruption insurance), there are certain ways (costing and income-generation measures) that will allow you to classify databases as insured assets, she says. They can also be covered under an extra expenses enhancement or “rider” on business interruption insurance.
“One of the things that I have worked with in companies is how a particular database is affecting your business income or your business profitability, and we’re able to get some statistics around, ‘without this database we have this much of an incurred loss’ or ‘with this database we have this much of an increased profit.’
“Either one of those two numbers will help with your business interruption and your extra expenses insurance.”
Getting out of the money hole — fast
According to David Senf, vice-president of the infrastructure solutions group at IDC Canada Inc., 70 per cent of mid-to-large sized enterprises have some form of DR/BC plan, while fewer than half of small businesses do. In Canada, the main concerns addressed in these plans are first, IT systems failure, second, security breaches, and third, power outages. And e-mail is the top application that Canadian companies want to bring back when something goes down, followed by financial and Web applications.
The losses from a downed e-mail server are quite difficult to quantify, as are those from certain other areas of business, wrote Rachel Dines, senior analyst for infrastructure and operations at Forrester Research Inc., in an email message. But in general, “big cost savings on DR occur when you can prevent downtime,” she adds.
“The costs of downtime for many companies are huge, often running into the hundreds of thousands of dollars per hour. Downtime costs usually include productivity losses of employees, deferred or lost revenue, compliance or regulatory penalties, but can also include some of the harder to calculate things like reputation impact, customer retention [and] competitive advantage, to name a few.”
Since downtime is lost money, insurance companies can certainly be interested in how successfully a given company’s DR/BC plan could be applied, especially since commercial policies tend to be more specific than personal or homeowner’s insurance, says Karageorgos.
“There might be opportunities there for companies to work with brokers and carriers because, as an example, it would be of interest to an insurer to recognize a company that would have, perhaps, a business recovery plan in place that would minimize their downtime.
“The shorter timespan that a business is out of operation, out of its normal course of business, the less the impact will be on an insurance payout. So, it’s cheaper for the company, for the insurer,” he says.
“Companies that show that, ‘look, we’ve got plans in place that we may need this coverage [for] but we’ve done enough planning that odds are if anything does occur, we may be only be out of business or require additional costs to bring us back up to business [in] X number of days or X number of dollars.”
‘More than fluff’
Now that you’ve understood where insurance fits into the DR/BC framework, let’s look at some quick tips on how to save money on your policy. First of all, you need to understand the unfortunate reality that despite your best efforts to produce one, not all insurance companies will give your IT disaster recovery plan the attention it deserves.
Part of the reason for this is simply that many of them aren’t equipped to review it. In general, the more complex your IT operations, the more insurance becomes a niche offering better suited to companies focused on a particular industry like your own.
Karageorgos offers an example of this: taxis.
“Not all insurance companies will insure taxis,” he says. “There are specific numbers that have expertise and so, typically, those are the companies, and maybe a handful, that will insure that type of business. Same thing for IT and data, and that sort of thing.
“On a smaller scale, if I have, let’s say, an accounting firm, and I want to insure my records, yeah, there’s the opportunity to do that. But if it’s a lot larger and more technical in nature, odds are that there are fewer companies that will have the expertise to underwrite that type of business.”
But when you do find the right insurer to review your plan, says Hayko, you can expect savings of up to 15 per cent, or at least, an expansion of your coverage. To hit the right notes, you’ll have to present a solid plan with real numbers (“make it more than fluff,” she says) and a standard methodology. You should also expect to present more than your DR/BC plan to an insurer, particularly for new coverage or a major revision.
In that case, the insurance company is bound to bring in accountants to dig deep into the dollar figures you’ve included in your planning.
“They’re looking at those plans for hard numbers, around how much loss are you expecting in what areas. And that’s where your BIAs (business impact analyses) are really, really going to be a strong player in this plan.”