The technologist's manifesto

The network and IT department is central to almost every company. Strategic data, trade secrets, financial information of employees, and customers' personal and identifiable information are held, processed and stored on accessible servers and mobile portable devices. Personal digital assistants and laptop computers hold sensitive and confidential data, and are often accessed by outsourced suppliers with sensitive network access.

Traditional focus on the physical risks to a business' tangible assets has led to loss prevention or mitigation to minimise damage from natural hazards such as fire, flood, wind and earthquakes. And although it has not been possible to remove these risks altogether, they are largely accepted and understood. However, a substantial section of the world economy no longer relies primarily on physical assets; buildings, equipment or inventory are no longer viewed as the means of production. Therefore, the move from traditional manufacturing based industry to a service sector-based industry reliant on intangible assets, especially network and operations systems, is going to require significant change both in the philosophy of corporate risk management and in the solutions available to those involved.

The sea change from internally facing legacy systems (a computer system or application used by employees that an organisation is reluctant to replace) to network-based technology over the last 10 years has transformed all operational services and, ultimately, the risks. As production methods and supply chains become ever leaner and more stretched, firms become more vulnerable to any breakdown in their method of delivering their goods or services to the market. Revenue production - whether from physical locations, call centres, or the internet - may require the network to be available on a 24/7 basis.

The identification of direct or first party network risks (the failure or interruption of a computer network and the corruption, damage, and/or deletion of data and programs) is an important part of risk management today. In effect, any facet controlled by the networks goes down as a result of a network failure. This also includes system failure of a business partner or supplier, which crashes ripple into a loss for its partners and clients.

Definitions of network failure

Network risks are not just traditional mechanical or physical breakdown, although these are important. In order to totally understand the scope of potential loss, definitions must include operational mistakes; inherent design and architecture flaws; human error; crime; and terrorism. It is important to note both singular or organised crime ring perpetrators have been associated with network and data extortion threats, which can result in direct financial losses, extortion ransoms and expenses.

All of these factors become even more of a danger when they are outside the direct control of the firm, as is increasingly the case when business processes are outsourced.

Whereas restoration of physical assets may take days, weeks or months, network risks are measured typically in hours and an important part of business continuity planning is to understand the critical applications' recovery time-frame - both for infrastructure and customer-facing.

Network risks are key boardroom issues in certain industries as network availability requirements are extremely high. The motivation for computer crime can range greatly from experimentation, maliciousness or industrial espionage to extortion and terrorism. In 1999, a computer hacker publicly announced his intention to release a report outlining how to break into power company networks and shut down the power grids of utility companies in the US.

This event, coinciding with warnings from one federal government agency that "one person with a computer, a modem, and a telephone line anywhere in the world can potentially ... cause a power outage in an entire region", resulted in heightened industry concern about network security. Security is critical for the utility industry, as it is a critical companion risk to availability and reliability. And it is just as critical for the financial services, retailers, travel, telecommunications and almost every other sector.

The insurance industry is starting to respond to these threats and challenges to a firm's bottom line. For example, there are now products designed especially for companies with time critical networks, which - though they have already invested in best practice security prevention, risk minimisation and business continuity planning - still have vulnerability to a loss of data or network failure resulting from administrative mistakes, accidental damage or computer attacks.

Administrative or operational mistakes are defined as aspects of accidental damage or destruction cover, and computer attacks are also deemed as causes of loss with business continuity cover to deal with outsourcing or offshoring exposure as another. Reasonable deductibles are provided in monetary and time-waiting period (in hours), based upon the applicant's controls and business continuity capabilities. Coverage is also provided for special expenses unique to IT networks, including forensic costs, and broad form terrorism protection by endorsement.

Human mistakes and attacks are major risks to IT networks and electronic information repositories. Unfortunately, technology cannot fully prevent network business interruption and the incurrence of extraordinary expenses; human management and process failures will occur despite the best efforts. Mitigation is essentially a well-designed and tested business continuity plan. Risk transfer through insurance addresses any residual risk, which may be large, if the best laid plans and outsourcing exposures cause a critical failure.

Emily Freeman is executive director of technology risks at Lockton International and Dan Trueman is an underwriter at Kiln Syndicate.