Evelyn Rieger: These things all do indeed cause big losses for companies, but they are blown up a lot by the media. My experience with lots of companies confirms one thing: just as with other kinds of losses, most IT failures have some human cause at their root. Judgement errors, user errors or behavorial errors combined with the tiniest technical problems or organizational weaknesses can quickly trigger a domino effect.
What situations are the most critical for companies from an IT perspective?
Rieger: IT damages are frequently caused by changes to an organization. For example, if two IT systems are integrated following a merger, new processes are introduced or updates are loaded. But a change of a vendor or the reorganization of internal roles also can have negative consequences.
These kinds of changes disrupt familiar processes – and then suddenly problems pop up. Resources might be missing, responsibilities and tasks are poorly defined or it's not clear who's in charge when key staff are gone. A lack of communication and disorganized information channels can mean big disturbances in the IT landscape during a change project. The causes are not spectacular, but the losses they cause sometimes are.
Protecting yourself against human error is pretty difficult, isn't it?
Rieger: Certainly. But I don't want to paint a bleak picture. IT management at companies does fine work. Most organizations have detailed business continuity management plans, emergency processes to keep the business up and running. Otherwise we'd be hearing much more frequently about crashes and failures. But the fact remains that it happens, and lots of companies are not insured against these losses.
Why? You yourself offer insurance cover.
Rieger: Yes, at AGCS we have a modular insurance solution that covers our clients' own losses and third-party losses for which the insured is liable. Physical damage is not even necessary to trigger cover. It also covers malware attacks, loss of access to systems caused by denial-of-service attacks and failures caused by the installation of new updates.
But lots of companies still lack the awareness for it. Remarkable, since their production chains depend on the reliability of their IT systems. No one questions getting fire insurance for their buildings. We need a fundamental rethinking.
Rethinking?
Rieger: Maybe it's just hard to imagine the losses. Everyone has mental images of a building on fire, but what does a standstill at an IT server look like? IT risks are ultimately very abstract, so they are hard to explain. Also we're in a field that is changing rapidly. Even experts have trouble keeping up with the latest technology as well as monitoring legal changes and social trends.
Is the increase in media visibility making more companies wake up to IT risks?
Rieger: Sure. No company wants to make headlines with an IT failure. Public examples like Sony and Amazon also clearly demonstrate the vulnerability of IT systems and their residual risk. More and more companies are turning to consultants for IT protection and are interested in our experience. The focus is mostly on prevention, which I as an insurer want to encourage. Companies are also still finding it difficult to estimate the cost of a possible outage scenario. That's another thing we can support as part of our risk dialogue.
The Stuxnet worm is considered one of the most dangerous malware programs. How are companies reacting?
Rieger: Lots of companies are considering possible crash scenarios caused by this complex malware because it indicated a paradigm change. Why was Stuxnet developed, who was involved and who funded its development? What kind of infrastructures can be sabotaged by this kind of malware and how does it affect other areas? These are the kinds of questions a lot of companies are trying to answer.
What other trends are you currently monitoring in the IT world?
Rieger: Facebook is becoming a constant companion for many of us and at the same time a massive retail store. Who will be offering things there in the future? Cloud Computing offers a great potential to process data and information efficiently. But how secure is a company's data in the cloud? And does it represent new risk accumulations for insurers? The digital environment presents companies with a unique opportunity. We can't let ourselves be swayed by the fear of new risks - whether as an insurer or as a normal consumer.
