Companies should vet IT suppliers' business continuity plans to mitigate IT outage risks, says Marsh

Out-Law News | 19 Sep 2013 | 2:53 pm | 1 min. read

Businesses should have continuity and crisis management plans in place to address the risks presented by IT outages, an insurance broker and risk management company has recommended.  

In a new report entitled 'cyber risks extend beyond data and privacy exposures', seen by, Marsh warned businesses to consider technology and software problems to be a "critical risk" needing to be addressed.

 "Technology outages and software failures resulting in supply chain and operational disruptions can cause significant loss of income, increase operating expenses, and damage an organization’s reputation," Marsh said in its report. "Any business that assumes its technology is impervious to any failure — especially as businesses increasingly rely on technology to conduct business operations — is ignoring a critical risk." 

Marsh said that increasingly cyber risk insurance policies are being sold to businesses to provide them with cover in the event they experience an IT outage, but it warned that, in addition to insurance, businesses should put in place "a well-planned and effective risk management program" featuring "policies and protocols to prevent and mitigate technology risks". 

As part of that risk management program, businesses should determine how critical each of their IT systems is to "ongoing operations" and review whether there are alternatives to those systems or whether "enhanced protection" of those systems is possible. Businesses should also assess how vulnerable their equipment is to "natural hazard events", such as floods, and take steps to address any vulnerability, "such as moving equipment to a higher floor or raising it off the floor". 

Marsh also said businesses should "develop and test business continuity and crisis management plans". The plans should cover cases of IT outages, and set out how the company would communicate internally and externally and contain steps to "protect the company’s reputation". 

It also said businesses should "verify the plans and capabilities" of key IT suppliers.

 Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind, said that businesses may not be diverting sufficient resources into doing such a supplier check. 

"This report coincides with the European Parliament paper from earlier this week that indicated that the level of understanding of how to respond to security incidents and data breaches is worryingly low in some industries," he said. "It goes without saying that it is critical to ensure that businesses have adequate oversight in respect of how seriously business continuity programs are being taken at supplier sites." 

"But in reality, are adequate resources being made available for this purpose? It may be that over-reliance on simple controls, such as suppliers filling out checklists instead of insisting on more accountable means of monitoring, could be a key reason why supply chain failures caused by IT outages remain at the level reported by Marsh," Scanlon added.