A New Definition of Catastrophic Risk – 2020 Technology Risk Study
Over the past several years, catastrophic risk from extreme weather, driven by climate change, has drawn much attention from activists, the media, governments, and an increasing number of business leaders. Less attention has been paid to another potentially catastrophic risk: the failure of technology to perform. In a global, digitally interconnected economy, such a failure can have devastating consequences.
Were technology and digital infrastructure to fail catastrophically — either through intentional attacks or errors — global commerce could grind to a halt. Data would be lost, or rendered inaccessible. Systems would fail to communicate. Critical infrastructure such as power plants, hospitals, and airports could be shut down. In every sense, massive technology failure could be catastrophic.
When technology fails even on a lesser scale, it potentially creates a range of first-party exposures for technology companies alongside numerous liability risks for companies that use technology. These exposures go beyond data breach and technology errors and omissions. They could include bodily injury and property damage if, for example, a tech failure led to an autonomous vehicle crash or an industrial accident.
Marsh’s 2020 Technology Industry Risk Study explores a new definition of catastrophic risks: The greatest catastrophic risks for technology companies and technology-enabled businesses are not natural disasters. They are technology and data infrastructure failures.
For risks leaders at technology companies, the impact of technology catastrophes is already known. In a survey of more than 150 global risk leaders at technology companies, they ranked technology risks as three of the top four catastrophic risks facing their companies.
This is not surprising considering the increased value of data and intangible assets in the modern economy. In 1975, tangible assets comprised 83% of market capitalization in the S&P 500 and intangible assets represented 17% — a ratio that has since inverted.
Hackers, such as those deploying ransomware to block access to data and key systems, could be more devastating than a natural disaster that destroyed important physical assets. While the physical loss of a headquarters or data center would be expensive, redundant systems typically allow companies to recover quickly. However, without access to their data and digital infrastructure, most companies cannot function.
Understanding and accepting that technology failure could be a catastrophic risk for their company, their customers, and society, is only the first step for technology risk leaders. They also must evaluate and measure their exposures to emerging technology risks. Our survey found that more than 75% of technology survey respondents are holding discussions of catastrophic risk at more than preliminary levels. Such discussions will be most effective if they engage the appropriate range of stakeholders and receive buy-in from senior leadership. Just over 20% of respondents say catastrophic risk is a high priority item for the C-suite, board, and throughout the company.
We recommend that as risk leaders hold these discussions, they should have all the appropriate stakeholders at the table – from legal and operations to sales and finance. These discussions should take a broad look at the exposures and liability risks that stem from a technology failure. Be sure that HR, IT and experts in Environment, Social and Governance (ESG) are weighing in.