We are completely dependent on IT services nowadays. In both the private sector and the public sector. Modern society in its entirety is built up on the basis of functioning IT services, and outages can have major implications. More and more companies and government agencies are realising the risks and starting to take out cyber insurance policies for outages, but as yet many companies are unprotected in the event of an incident. This may result in outages affecting not just the company or agency in question, but consumers and society as well.
Our modern society is built up on the basis of IT services. This includes everything from electricity and water supplies to logistics, transport, payment systems or healthcare. The RISE research project DRISTIG has looked at the implications of outages in IT systems and how to assess these risks and insure against them. The aim of the project is to collate and share information on how the best, most prepared companies are working, and there is a great deal of international interest in this project.
IT services purchased nowadays
Enterprises generally had their own in-house IT departments a few years ago, whereas now many organisations buy their IT services from suppliers, which in turn use subcontractors.
– “Control is now no longer an in-house thing, and the requirements defined in contracts with suppliers, known as SLAs or Service Level Agreements, are incredibly important so as to ensure that the consequences are as minor as possible in the event of an outage,” explains Ulrik Franke, senior researcher at RISE.
Outages may be due to a number of issues, such as the updating of a connected system or a bug in some software. Outages may also be caused by malicious hackers, people attacking systems with the intent to do harm. But regardless of the root cause, outages may have major and costly implications.
– “Revenues could be reduced if an online shop is down, for example. In this case, the amount of time the online shop is down determines the extent of the loss. Costs may also be incurred by having to bring in resources such as lawyers, communicators or IT consultants in the event of an outage. These costs are not dependent on outage duration, but they may be extensive. Data losses or data breaches are a third reason for costs. These costs are difficult to calculate, and even more difficult to predict,” says Ulrik Franke.
Cyber insurance policies provide protection
A couple of years ago, it was relatively unusual for companies to insure against IT system outages. The ones that did were usually major corporations. However, it has become more and more common over the past few years for even small and medium-sized enterprises to take out cyber insurance policies. Länsförsäkringar was the first company to include cyber protection in its standard corporate insurance policies, and the Swedish market has changed entirely in 2019.
– “Unlike home insurance or car insurance, for example, it is difficult for insurance companies to calculate the best ways to manage and spread the accumulation risk. Different industries or geographical regions may be dependent on one another. An outage at a logistics company in Asia can create a major loss of income for online shops in Sweden. No insurer wants to end up with a poor portfolio,” says Ulrik Franke.
Different maturity levels in different industries
Everyone is dependent on IT nowadays. But some industries, such as the world of finance, are more mature than others. Stakeholders in the financial industry have a good appreciation of costs in the event of outages, and their reasoning with regard to what should and should not be insured is mature. Municipal corporations such as companies that deal with electricity and water supplies are also dependent on IT services for their control systems, but in general these are not as mature and need to catch up.
More and more IT systems are interconnected nowadays. Companies work together more extensively. They focus on the things they are good at and outsource other areas. A number of companies are included in the same ecosystem and are dependent on one another – and on one another’s IT services. Modern society requires good SLAs, Service Level Agreements. In the event of incidents, a clearly worded and deliberated agreement can determine who is responsible for the situation.
– “Our research shows that good SLAs can be a success factor in partnerships involving lots of stakeholders providing different components for a new product or service. All potential risks should be considered in advance, and who is responsible for what should be defined. A well worded SLA can provide major competitive advantages in that way,” concludes Ulrik Franke.