This is part of a series of interviews with Asigra Partners. In this post we’re talking with Mark Saville, Director at Data2Vault who discusses why companies would need an insurance policy for critical data, the risks associated with only having cyber insurance and the best way to reduce the risks associated with residual loss.
VM: What is Data Insurance (DI)?
MS: DI is a policy issued by underwriters and brokers to protect against the residual risk of permanently losing critical data. It allows you to protect your organisations most critical, unique business assets and offers full financial protection in the case of data loss. We are a unique solution because we are currently the only solution that compensates for data loss as well as the value of our payouts are higher. Think of it like this: data insurance is like fire insurance. You try to avoid the risk as much as possible, but you’ll still need insurance in case the building were to burn down. It’s the same thing in the world of IT… the best practice is that an organisation would have firewalls, antivirus, backup and replication in place, but there is still a residual risk that you may still lose your critical data, and for that reason, this is why you have a data insurance policy.
VM: Why is an Asigra Service Provider involved in Data Insurance?
MS: As an Asigra Service Provider, we have built an Insured Data Environment, which has been certified to give our clients the extra protection they need for peace of mind. It also provides the underwriter with a proven method to recover the clients’ critical data and therefore reduce the likelihood to have to make a significant payout.
VM: If a client has Cyber Insurance, why will they still need Data Insurance?
MS: Cyber Insurance is a valuable policy, but it only protects personal identifiable data and personal sensitive information against copy theft or loss of data through a cyber-threat. If there is no cyber-attack there is no basis for a claim. Data Insurance, on the other hand protects against the permanent loss of critical data. As an example, a pharmaceutical or a food/beverage company may have a loss of formula or patents, which contains no personally identifiable data, and could only be covered by data insurance.
VM: All my data is critical, how do I determine what should be insured vs. what shouldn’t?
MS: That’s really up to the client to determine what is critical vs. what is not. If any of our clients need further clarity to assess what should be covered, we have risk analysts and data classification consultants who will help with the identification and valuation of data if the customer needs assistance. Once the client defines what should be insured, together, with the underwriters Allianz, a fair value will be agreed.
VM: We have seen from the CRA case study that companies operating in high hazard industries (i.e. Nuclear Energy, Rail, Oil, Gas as well as Airlines) should seriously consider insuring their data. Why?
MS: In high hazard industries there is already an appreciation of residual risk, and the cost associated with minimising residual risk to an acceptable level. As these industries increasingly become more digital, the principles of safeguarding against residual risk of data loss becomes equally important. Organisations in high hazard industries are also conscious that the loss of critical data could have extremely negative ramifications on the business (i.e. shutting down after a data loss) and therefore discussing data insurance to residual risk with business executives is a language they understand.
VM: How does Data Insurance reduce the residual risk of data loss?
MS: Even if every possible step to prevent data loss was taken, there would always be a residual risk of data loss. Data Insurance, through an assessment of risk and use of the Insured Data Environment helps reduce the residual risk to an acceptable level and provides both the ability to recover lost data or financial compensation if the data cannot be recovered from the Insured Data Environment.
VM: Why would an organisation need Data Insurance as well as a backup and recovery solution in place?
MS: A commercially licensed and supported Backup and Recovery solution or service is a pre-condition of Data Insurance as it demonstrates the organisation follows good practices in safeguarding their data. With a conventional backup and recovery solution there is no 100 per cent guarantee that any lost critical data can be recovered. Data Insurance covers that residual risk of data loss.
VM: Why is it a pre-requisite that an organisation has a backup and recovery solution prior to obtaining data insurance?
MS: Data Insurance does not replace Backup and Recovery solutions, it augments existing protection. Like many other insurance policies, the client has a small number of pre-requisites to qualify for Data Insurance. A Backup and Recovery solution is a best business practice and the client must also identify and value their critical data which will then be placed into the Insured Data Environment, at this point a Data Insurance policy will be issued.
Interested in learning more about Data Insurance and how to minimise residual risk? Data2Vault is running a series of free seminars throughout March and April across the UK to educate organisations of all sizes on how to protect their business critical assets.
Click on the button below to register and select the venue that suits you best.