Calculating the Value of Essential, Yet Intangible, Data Challenges
The analysis and use of data have transformed industries across the economic spectrum: technology, transportation, lodging, retail, media, and finance, to name a few. The winners in the digital economy will be companies that can best collect data, apply intelligence to analyze that data, and leverage the insights into sales or services. The most valuable asset for a company may no longer be its inventory, buildings or fleet, but its data.
Widespread digital transformation has created new risks for organizations and new challenges for the providers of insurance. The insurance industry was founded on the ability of London investors to determine the value of cargo headed to and from the New World and to underwrite the risk of the loss of that cargo. The value of tobacco in the hold of a ship was a fairly straightforward calculation. Data, on the other hand, is less tangible and its value more difficult to calculate. What is the financial impact of a 20-minute outage of a social media platform? How much does a software bug in the entertainment center of a new car affect sales? What is the cost to a retailer if its customer loyalty database is hacked?
The key to properly insuring and mitigating data risks is to first dig much deeper than headlines on data breaches
Which of these risks can be insured? An insurance policy can allow the insured to recoup the costs incurred to recover lost, damaged or stolen data. It can’t, however, repair the reputational harm and lost business opportunities related to a data outage.
As digital strategies continue to accelerate, a partnership is essential among those who have different responsibilities for managing the related digital risks. Chief Information Officers, Chief Information Security Officers and risk managers must work together to understand the risks associated with data and information systems, to mitigate them and adopt a suitable risk transfer program. It is up to the CIO and the CISO to make sure the right measures are in place to prevent, detect and respond to threats to information systems and data. The risk management department must attend to putting in place the right insurance cover.
Marsh’s 2018 Communications, Media and Technology Risk study identified 10 different risks that could arise from a technology failure or data breach. They included easily calculated risks such as fines and penalties related to a data breach and cyber extortion to more difficult to quantify risks such as losses of intellectual property and data asset loss/damage.
These concerns aren’t just for tech companies. Technology is integrated into nearly all products and services in our lives: restaurants offer online reservations, manufacturing is increasingly reliant on automation and controls managed through the internet of things (IoT), and retailers rely on increasingly on online sales and digital customer engagement. A technology failure can bring down companies in nearly every industry.
The insurance industry has developed insurance solutions that respond to a wide range of losses from a technology failure or cyber-attack. Many, although not all, of these new exposures can be insured today—especially through technology errors and omissions and cyber policies. The most notable exposures that can be covered include:
• Privacy/data breach – readily available and can include preventative risk consulting to help reduce the risk.
• Cyber extortion/ransomware – widely available in most markets and includes services to investigate and evaluate the threat. When included in a broad cyber policy, it can also include remedies for any system damage.
• Data asset loss/damage – typically will cover the costs associated with the recovery, re-creation and repair of lost or damaged data. The risk of loss of revenue associated with the data interruption can be covered by non-physical damage business interruption insurance.
• Non-physical damage, business interruption, extra expense -more policies are now covering the costs associated with these interruptions from the onset of the interruption rather than after a specified period of time.
• Non-physical damage event at a supplier leading to business interruption or extra expense – as these events are more difficult to demonstrate a loss and to insure, many carriers are limiting this coverage to IT vendors.
• Intellectual property infringement – can be covered under media liability policy, but first party coverage typically is not offered and patent protection is generally excluded.
•Regulatory fines and penalties – coverage for fines tied to a privacy breach is generally available where allowed by law.
The key to properly insuring and mitigating data risks is to first dig much deeper than headlines on data breaches. CIOs should understand how data loss and damage can lead to fundamental damage to their company’s business models which are likely uninsurable. First-party Insurance is designed to cover an insured’s own losses. It is not designed to repair intangible damage to the company’s reputation or projected lost future revenue opportunities.
Jumping back to the founding days of insurance – those marine underwriters would reimburse you for the insured value of cargo stolen by pirates, but couldn’t help you if customers no longer used your ships because you had a reputation for getting attacked by pirates. You can insure your cargo. You can’t always directly insure your reputation and future revenue sources.
The costs of repairing damaged data, the fines related to a data breach, and even lost revenue due to system outages can be insured and recouped. However, the aggregate value of customer experience data is far more important, yet its loss is not as readily insurable. The intangible value of the insights gained from such customer data is one of the main reasons you are collecting it.
Consider what might happen if your carefully curated data was destroyed, damaged or breached:
• Customers might lose trust in your business, becoming less likely to use your services and share additional data with you.
• Governments and regulators could impose additional restrictions on what data you can collect and how your business can operate.
• During your recovery process, you might not be able to collect data that would allow you to identify key insights that affect your business, putting you behind your data-savvy competitors.
All of these outcomes would be detrimental to your business, but are not insurable. To understand how and how much to invest in measures to prevent, detect and respond, CIOs and CISOs need to work together with risk managers to understand how cyber and other tech risks can manifest themselves and how these risks can be managed. Risks that cannot be mitigated through insurance are those that can only be addressed with operational security measures in accordance with the risk appetite of the firm.