Last month’s blackout in parts of Ontario shed light on Canadian enterprises’ increasing dependence on computer networks for vital data. And as this dependence rises, so too does vulnerability to critical data, communications and business continuity.
According to the Insurance Information Institute, a U.S. umbrella group representing the industry, traditional insurance policies – namely standard property and commercial general liability insurance – may not be enough when covering potential cyber-risk and cyber-incidents.
When it comes to risk management, the dynamics have changed, according to the Institute’s cyber expert, John Spagnuolo, in New York. He says most organizations are living in a 21st century threat environment with 20th century insurance coverage.
The Insurance Information Institute also points to a recent Ernst & Young survey, which revealed that only seven per cent of the 1,400 organizations polled were confident that a specific network and cyber-risk policy was in place.
In Canada, insurers are redefining the terms and conditions of traditional coverage. Specifically, coverage for policies like cyber-risk have either been reworded or removed altogether, making them woefully inadequate for enterprise needs.
Cheryl Bieson, president of Calgary-based risk management consultants Deucalion Inc., noted that as far as risk-management programs go, insurance for cyber-risk should be the “first element”. Policies that offer this form of coverage tend to be specialized and require that the insurer have adequate preventative measures in place. In some cases, Bieson explained, enterprises may have to undergo an audit to ensure that coverage requirements are being met.
If a hacker or virus, for instance, affects a network or destroys data, most organizations today have either limited or no coverage. The question organizations must ask themselves – factoring in their time and resources – is how much risk is prudent to accept, noted Bieson.
Len Watson, senior vice-president at IT services firm CGI Group Inc. in Toronto, said there’s always a level of risk when dealing with computer networks and data, making it hard to determine what could happen. Organizations need to be aware of that, Watson noted. At CGI, which offers hosting and outsourcing of specific IT services, the data centres are geographically dispersed. Watson recommends organizations follow a similar practice to prevent a total loss of data in the event of a cyber catastrophe.
In the end, the primary tools used to effectively manage cyber-risk include a combination of insurance, prevention and recovery. According to Bieson, the key is to use all three as part of an organization’s fiscal and strategic plans.
“All three have limitations; however, once combined, they provide a fundamental safety net to offset the risks inherent in the business environment…. The resources expended on sound risk-management practices can translate into a strategic return on investment, particularly in the area of intangible losses such as shareholder confidence, customer satisfaction and market share.”