…While You Thought Your Data and Storage are Safe in a Managed Service
Hacked and stolen data, cyber ransom, reputation risk are clear and present reality.
Cyber insurance is not optional it is virtually mandated for most.
Afterall you, bought cyber insurance because of the risk, the necessity and to protect your organization, customers, policy holder, stakeholders and interests of regulators, bankers, and auditors.
…. so you get hacked. Financial, reputation, market, taking care of business, and careers are on the line.
Just about the first call is to your insurance broker or the insurance company who issued a cyber insurance policy to you.
Except you come to find that the insurer denies the claim, or even rescinds the entire cyber insurance coverage and policy (and don’t lose sight of how the following scenario maps to D&O, E&O, and other covers).
Here’s the problem.
You have a third party managing your data, your storage, and likely providing services to detect at the earliest time intrusion, hacking, malware. The contractual service is part of your operation, and part of the operation the insurer queries of and underwrote in order to issue you the requisite cyber insurance coverage. The services agreement has been “there” for several years and just came up for renewal.
However, the actual data and storage services you are receiving, even if continuing while you negotiate for the renewal terms and conditions (or even look for another service provider) can in fact cease overnight. The data and storage provider might simply move key resources to the next, more lucrative account as they lose confidence in renewal at the right price. In short, the lapse of the data and storage services contract presents a significant risk accelerant to the insurer, a change in the insurers confidence (and policy provision) for risk management in accordance with the cyber insurance policy..
Your data and storage services contract has simply termed out.
There was not thought on why it is critical to exercise an auto-renewal clause.
Or to memorialize that the data and storage services will continue through an agreed to grace period. The point is that no one in your organization thought to tie the data and storage services side of the equation to the terms and conditions by which an insurer underwrote your risk. And the data and storage service providers as an industry are like everyone and just starting to learn the nuance of cyber risk at today’s scale.
No one realized that when the data and storage services agreement term ties right back to the essence of the cyber insurance policy; to wit cyber insurance exists on reliance by the insurer that the insured maintains the continuity of safe, secure, governance wrapped data and storage. And when that third-party data and storage services expires the cyber insurance coverage will too.
In fact, in most instances, the management of the internal oversight and management of the data and storage services contract, its’ renewal process, or the the RFP around a new services provider all goes on without being managed and tied back to those insude the organization tasked with managing enterprise and cyber risk.
Point in fact the CIO, the CISO and others in the IT side of the house are frequently not aligned with or tethered to the enterprise risk side and know little of the cyber policy other than “it exists”.
The data and storage services contract is presumed by the cyber insurer, indeed the D&O insurer, the auditors, regulators, and others are in fact oblivious that the services contract has ended. In fact, and all likelihood, insurance parlance, you are naked.
Until the hack occurs or “ransom” is screamed out. And everyone knows that this event is accelerating in frequency, cost, and damage.
Look, insurance companies are not in the business to blindly just pay out on a claim, especially a cyber related exposure that is counted in tens of millions, hundreds of millions, billions of dollars present.
What happens? Well, the “claim” will be reviewed, examined; the terms and conditions by which the cyber insurance underwritten and priced will be explored word for word. All the information provided by your organization and your insurance broker is thoughtfully explored. The insurers’ objective is to make sure the data and storage safety and governance presented to the insurer is the same at time event as when underwritten. Why is clear; see the call out box in this blog.
Yep, it is clear where this is going to go.
After all the reviews are finished, and when The conclusion will be clearly that pivotal data and storage oversight and governance had changed, had become riskier, was no longer the same as the cyber insurance policy contemplates.
The enterprise and cyber risk management Intentions are simply no longer compliant in the eyes of the insurer. And the insurers willingness to pay the enormous damages, well what would you do if you were the insurer?
THE FIVE MAJOR CONTRIBUTING CATASTROPHE SCENARIOS
- Long-lasting outage at a leading cloud service provider (USD 14.3 billion loss)
- Large-scale cloud ransomware at a leading cloud services provider (USD 11.5 billion loss)
- Widespread data loss from a leading operating system provider (USD 23.8 billion loss)
- Widespread theft from major e-mail service provider (USD 19.1 billion loss)
- Large-scale data loss from cloud service provider (USD 22.2 billion loss)
- Cyber crime costs are predicted to hit USD 6 trillion annually by 2021. This followed a record year in 2017 of USD 600 billion.6
- The World Economic Forum’s 2019 cyber crime estimates put economic losses from cyber crime at USD 3 trillion by 2020.
Huge financial, operating, reputation and career risk looms.
All for sake of overlooking the importance of
maintaining the integrity and continuity of the third-party data and storage services contract.
No one took their eye off the ball, necessarily.
Everyone just did not connect the dots between enterprise and cyber risk and services that are rendered out of the limelight.
The question is do you know the status of critical data and storage services contracts?