Innovative risk and insurance solutions shaped around your business Oval Insurance Broking
Outsource your IT? IT Security not your Problem? Think again! Outsourcing your IT neither means that you are devoid of responsibility for your security nor does it mean that you are free from risk. In this bulletin, Richard Hodson, Head of Oval Technology explains why. Technology is constantly evolving. We are finding new ways to use applications and the devices they are on to improve our lives personally and in business. This explosion in IT has led to a digital “arms race” between those looking to develop software and those seeking to exploit users for their own nefarious means, indeed consensus amongst IT security experts is that there is more malicious code written than genuine. The concerns regarding illegal activity of IT systems is headline news and has coined the phrase “cybercrime”. George Osbourne in his last budget said despite having to make cuts more money is needed for cyber, which “is a new frontier of defence”. Various figures have been widely flaunted in articles about the cost of cybercrime and heads of security services in the UK and across the pond have stated what a threat this is. An entire industry has been spawned by these threats with IT security companies making a killing and tempting hackers back across from the dark side to become security testers. The insurance industry is also cashing in with every major provider launching a “cyber liability” policy within the last 12 months.
However most business owners of small to medium sized enterprises (SMEs) do not consider themselves at risk. For example: • We are too small for anyone to bother us. • We don’t store credit card information. • My IT department takes care of this. However one of the most common arguments is:
“Our IT infrastructure is not our responsibility as we use a third party”. The belief that by outsourcing one of the most critical parts of your business operations you divest yourself from security responsibilities and that the third party would be liable for any failure is a fallacy which the Information Commissioners Office (ICO) constantly remind businesses about.
In the digital age with technology advancing at a daily rate businesses whose core activities are not IT may not want to spend money on capital infrastructure which depreciates the moment you purchase it and becomes out of date immediately. In addition there are costs to manage, maintain and secure the systems meaning it is understandable why financially an organisation would look to a third party supplier to outsource this function. A business can free up costs to focus on their core activities rather than tie up costs with IT infrastructure and there is immediate scalability so capacity can quickly be added or removed depending on the demands of business, especially if it is a seasonal one. However if you are thinking about making this step or have already done so it is important to understand that there are risks involved. By contracting to a third party supplier you are not outsourcing these risks and there are residual exposures as if you were operating your own system.
Loss of Control Why outsource providers work on a cost basis is that they look after many clients and there is a chance that you are not going to be their largest or most valuable client, therefore response time and priority might not be what you can expect if your IT was in house. If your service provider suffers a technical issue then they are going to be responding to a number of clients all at the same time. What are your provider’s disaster recovery plans and how often do they test them. It might be a good idea to run virtual tests with your provider to test their response, especially around any business critical systems. By outsourcing your IT functionality you are expanding the boundaries of your business, no longer are your business activities kept within your office locations they are now under the control of a third party. What do you know about their security, or where the data centres are located? Do they allow your “virtual neighbours” physical access to the site, is the centre on a flood plain? The phrase that security is only as strong as its weakest link is also true, and by adding service providers to your business process you are adding more links to this chain, and potentially increasing the chance that something might go wrong. It’s not just the physical security of a provider that needs to concern you but also their financial security. Will the outsource provider still be around in 12 months time? Are they able to keep hold of their staff? It might be wise to ask for a copy of the providers last reports and accounts for your piece of mind.
Data Protection The Data Protection Act 1998 (DPA) sets out how personal data must be handled and has eight principles (see http:// www.ico.org.uk/for_organisations/data_protection/the_ guide/the_principles) and it is the Data Controller who is responsible that these principles are complied with. The Data Controller is defined as: A person or organisation who makes decisions in regard to personal data, including decisions regarding the purposes for which and the manner in which personal data may be processed. As a business using client data this refers to you, so even if your data is being handled by a third party you remain responsible for it, and a breach of any of these principles can result in you being fined up to £500,000 even though the fault may have been caused by your IT provider. Two key principles are 7 & 8. Principle 7 makes you responsible for appropriate technical and organisational procedures to be in place to prevent a loss, not the outsource provider and Principle 8 regulates that data can only be stored in countries of the European Economic Area (EEA) or a country that “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”. It is therefore up to you to ensure that data is not being sent outside the EEA. In addition if your industry is subject to any form of regulation and audit does the outsourcer have the correct knowledge of your industry and any particular security requirements about security of data. You will have to ensure that any IT provider complies with the standards your industry is expected to meet otherwise you can be exposed to fines or penalties if they were to fail an audit.
Top tip If you are therefore contracting to any organisation who will be acting as a Data Processor for you make sure you have a Data Processing Agreement in place that makes them responsible & liable for complying with the DPA, and any industry regulation that you face as well as being informed of any breaches which might occur.
Contractual Liability A prudent Technology company will have you sign up to their terms and conditions (T’s & C’s) for providing you with a service, this protects them should anything go wrong. It is important that you look carefully at these T’s & C’s and make sure you are aware of the exposures that you are retaining. Some important clauses to look out for: 1) No consequential loss: Whilst your supplier might provide you with service credits, or partial fee refund should they not be able to maintain their service to you their contract could exclude their liability should you suffer a trading loss for not being able to access your systems. 2) Liability under contract: The third party supplier will be looking to limit their exposure to negligence on their behalf to the value of the contract or a very low amount whichever is lesser. This could limit the recovery you could make against your supplier should they lose your clients data and you are recipient of a fine of legal case around that data. See the claim example below. 3) No responsibility for data: Most data centres will make it clear in their T’s & C’s that they do not accept responsibility for client’s data outside of their own negligence. If data is therefore lost, destroyed or corrupted it will be your responsibility and cost to replace this.
Claims Example A large financial services organisation was using a third party to send personally identifiable information on its clients via a third party supplier. That third party supplier lost the CD with the information on it. As the Data Controller the Financial Services Company was fined £2.5 Million.
Top Tips Daljitt Barn, Associate Director at the NCC Group provides the following tips in what you need to look for when considering which third-party data centre or colocation service provider you should do business with:
1. Use a third party provider that owns their own building or occupy the building entirely. As the provider owns or occupies the whole building then they have total control over the security of the entire premises at the perimeter. There are not other tenants in the premises who might have slacker security measures which could compromise your provider. 2. If this is not possible it is sensible that you request information on the other tenants and what their business activities are. You do not want your providers business to be compromised by having neighbours who carry out high risk activities. 3. The same can be said of your virtual neighbours, ask your provider who you will be sharing rack space with, whilst you might not be a target of attack your neighbours might be. 4. What is your providers physical security, who has responsibility for this, do they outsource any of it or rely on the building security. You will be better using a provider who manages and runs their own security. sk to see and evaluate the provider’s 5. A disaster recovery plan. If they do not have one or if the one they provide for your review does not meet your standards, consider another provider. 6. Use an independent security consultant to provide you with a Risk Assessment of the Providers facility. 7. Ask your outsource provider for confirmation of their professional indemnity insurance 8. Finally and most importantly: your provider probably has fantastic network security and constantly monitors the systems for intrusion, however how good is their physical security. It is no good having a state of the art system when someone can gain access straight to the hardware itself. You need to ensure that the minimum physical security is at least what you would have in place should you be operating your own systems in house.
The benefit of appropriate insurance Even though there are great benefits in outsourcing your IT function, you should be aware of the risks your business might face as a consequence. As with many risks some of these can be managed, and the consequences of you suffering a loss can be reduced. Some you might consider to be inconsequential, however there will always remain a risk to you, and the greater your reliance on IT to perform everyday tasks the more important it is to look at how to reduce the impact it could have on your balance sheet should you suffer a loss. As an organisation you are still reliant on having your premises and other physical assets, as well as the staff to man them, however what about your intangible assets the 1’s and 0’s that work your systems. Your traditional insurance policies will respond to the physical loss or damage you might suffer, and the business interruption
element will compensate you for the lost profits as a result or provide a lump sum allowing you to continue trading from alternative premises, however the key word here is “physical” – there has to be a loss of tangible assets, your systems, electronic data and software programmes are non-physical and therefore not covered by these policies. The emergence of new technology and also new threats has meant that the risks we face are no longer restricted just to fire and burglary but also intrusion incurred from beyond our borders. Criminal as well as plain disruptive elements are able to bring down an organisations infrastructure without gaining access to their premises and can often be in a different country, and when out sourcing your IT you are also increasing the perimeters of your business. It is important that you look at the risks you face from the use of IT and ensure that your insurance policies are current and responsive to the evolving risks of today.
Would you like to talk? For further information on how to protect your business from the modern threats we face contact your usual Oval Insurance Broking representative or call: 0800 612 6223 or email: firstname.lastname@example.org
Oval Insurance Broking Limited Registered Office: 9 South Parade, Wakefield, WF1 1LR Registered in England No: 01195184 Authorised and regulated by the Financial Conduct Authority