IT outages: damage limitation

Awareness and mitigation of IT system outage risk is on the rise, but even well-executed risk management strategies can come unstuck. One lapse of concentration, technical malfunction or new strain of cyber attack could take a company’s system offline at any given moment. The question is: are you prepared?

In the event of a system outage, the top priority is to get business operations back up and running as quickly as possible to minimise loss of revenue and disruption to customers, partners and stakeholders.

Implementing a watertight incident response plan is essential. The ideal response plan may vary from sector to sector given each industry’s different customer bases, supply chains and regulatory obligations, but one thing is universal: having a plan in place will reduce business interruption costs.

A report by Beaming found 77% of UK businesses suffered a system outage in 2016, at a cost of $7bn. According to a study released by IHS in 2016, IT outages cost North American businesses $700bn in 2015, 78% of which was through loss of productivity during downtime. Time is quite literally money.

Response plans need to be documented, and must include a list of key actions required of management, staff and any external parties that need to be contacted in the event of a system failure, from emergency services to IT vendors, forensic analysts, regulators and PR agencies.

“Roles and responsibilities in the event of an outage should be clearly defined, and more importantly, fully understood. You should be on virtual first-name terms with the organisations to whom you outsource incident response,” says Dean Chapman, risk management executive – cyber risk at Willis Towers Watson (WTW).

Based on a thorough assessment of their risk, redundancies and potential financial exposure, firms should put a recovery time objective in place. Public safety is always a top priority, so if the interruption is likely to affect members of the public in the vicinity, a clear, well-rehearsed incident management procedure should be enacted. If redundancy back-up systems are available, they should be ready to go at the switch of a button.

“You’re going to need a close relationship with your technology providers,” adds Sarah Stephens, head of cyber, technology and media errors & omissions at JLT. “If you or your cloud provider, for example, have an incident, will you be able to access your data? And will you control communication around the incident, or will they? It’s your brand reputation on the line.

“Companies should think through practicalities like this and establish whether there is a way they can ring-fence a system that would allow authorised individuals to access back-up data from offsite. Things like that can make a big difference in executing the disaster recovery plan,” says Stephens.

But even the best-laid response plans can be rendered useless if not thoroughly stress-tested before an incident occurs. “You’d be surprised every time at how many roadblocks and issues you can iron out by running through your response plan,” adds Stephens.

As Matt Webb, group head of cyber security at Hiscox, puts it: “Your plan is no use sat in a cupboard collecting dust.”

It is also vital that the plan, contact databases and any back-up data required to resume operations is not stored on your primary network. There is little point backing up data every couple of hours, for example, only for it to be inaccessible during an outage. Common sense, but also a common mistake.

Clear communication

Beyond restoring operations, the second major component of any incident response plan is the communications strategy, which has to provide timely, accurate and confident information to affected customers, stakeholders and relevant authorities.

“The response communications plan must be seriously thought through and documented, including a list of key names and contact details,” says Chapman.

In the event of an interruption to business, various groups of parties need to be kept informed; each has their own set of priorities. Experts recommend having holding statements prepared for various audiences, scenarios and stages of the recovery process, which are ready to be rolled out when appropriate.

The more information a company can log from its system to learn what went wrong and keep the public informed the better, though firms must strike a balance between keeping the public updated and confusing them with false or irrelevant information.

“I can’t think of a major incident which has caused customer impact where the client has not been criticised for the way they handled it – for failing to have proper security in place, for failing to plan, for not responding quickly enough or saying the wrong things. There is no perfect response,” says Stephens.

“Often the client would like to come out and say what went wrong and how many people have been impacted or what exactly happened, but they simply don’t know. If they rush in and get their assessment wrong, they may face even more criticism than for waiting,” she adds.

Stephens recommends hiring a professional PR team to oversee the communications response.

Improving insurance options

The final backstop to limit financial damage in the event of an outage is insurance. Having historically been heavily focused on data privacy liability coverage, the cyber insurance market has in the past five years begun to offer broader protection against business interruption from non-malicious perils such as system failure, as well as contingent business interruption (CBI) in the case of IT vendors or suppliers’ data being interrupted – primarily as extensions to standard policies.

“Some insurers are still reluctant to write the system failure component of cover because they find it more difficult to underwrite, though others are now happy to do it – particularly London markets, many of whom have been doing it for years,” says Stephens.

According to Paul Bantick, technology, media and business services leader at Beazley, business interruption concerns are driving demand for cyber cover from manufacturing, industrial, energy and various other sectors that haven’t historically bought cyber cover.

“Companies are recognising that if they have a big system outage, it could be a catastrophic event, so they want cover in place with large limits that covers them in the event of any kind of cyber incident,” he says, adding that he expects business interruption to become standard in cyber policies in these sectors.

In response to growing demand, some cyber underwriters have reduced sub-limits on CBI extensions. Beazley, in partnership with Munich Re, has gone as far as developing an all-risk-type cyber policy which covers the full gamut of malicious and non-malicious perils, including CBI.

Meanwhile, brokers have been developing their own wordings in a bid to secure better coverage for their clients. WTW, for example, has drafted a policy wording specifically to help airlines in the event of an outage, and is working on similar initiatives for other sectors. Its CyFly offering, drafted in collaboration with AIG, extends cyber business interruption coverage to various third-party networks including non-technology providers such as global distribution systems, baggage processing, aircraft maintenance, fuelling and catering and airport security.

It also, for the first time, provides airlines with network business interruption cover at a pre-agreed minimum value per flight cancellation cost, as well as cover for related regulatory fines and passenger compensation.

“Clients were concerned that it would take a very long time to calculate the loss incurred as a result of cancelling flights, and more importantly, to get paid,” explains Jamie Monck-Mason, executive director in WTW’s cyber team.

With airlines facing delays on claim payouts of up to a year – often at values they are unhappy with – WTW gathered information on flight cancellation costs from ash clouds and other physical perils to agree on a fixed insured value per flight with carriers, he explains.

“We’ve also negotiated that once an agreed time retention (waiting period) has expired, airlines will be covered for losses arising from zero hour in the event of an outage,” says Monck-Mason. “We’ve been encouraged by the response we’ve had to this sector-specific approach and are working on similar wordings for other industries.”

Increasingly, he says, clients want cyber cover that reflects their industry’s business model, system dependencies and regulatory environments rather than a one-size-fits-all approach. It is highly likely more sectors will soon have access to customised cyber wordings in the near future.

No risk can be completely avoided, hence the need for insurance. But by taking the right steps to mitigate risk, buying the best available coverage and implementing an effective response plan, it is possible to limit the damage.