Cyber risk headlines are dominated by rising ransomware activity and soaring global data breach costs. The increased ransomware activity, driven largely by threat actor financial motives, has indiscriminately affected all industry segments — from large corporate clients to small-to-midsize enterprises alike.

As a consequence, the cyber insurance market has witnessed notable changes. Both from a direct and reinsurer viewpoint, we have experienced pared-back coverage, increased pricing per million dollars of cover and limited capacity. While these developments top headlines, it is not the sole exposure point for corporations. A less discussed but also perilous exposure is the growing IT asset disposition (ITAD) and secure shipping industry, and the associated data breach risks.

ITAD and secure shipping refers to the industry around repurposing, recycling, reusing or disposing of obsolete physical IT assets. Take the example of decommissioning a data center, where ITAD and secure shipper vendors in partnership with clients handle the logistics around decommissioning IT assets, from the secure wiping and removal to the potential reuse, resell or disposal of equipment.

The global market for ITAD is estimated by multiple sources to be around $16 billion at year-end 2022. Projections suggest that this industry is set to nearly double by 2030, with estimates ranging from $30 billion to $32 billion. Also quantifiable is the expected tonnage, most recently estimated at 53.6 million metric tons at year 2019, expected to grow to 74 million metric tons by 2030.

But why, and how is this relevant to cybersecurity? The sector’s growth can be credited to three main drivers:

• The ongoing shift toward global digital transformation and increased cloud adoption.
• The constant innovation in computer hardware rendering older equipment obsolete.
• The trends stemming from the pandemic, such as remote work, which have accelerated office closures and decentralized corporate footprints.

These factors have further fueled an already booming industry, and in their wake leave an ever-growing risk of an unintentional data breach resulting from wrongfully disposed of or transported IT assets.

Consider traditional systemic cyber risk as we examine the data breach risks associated with ITAD and secure shipping of IT assets. Similar to systemic cyber risk across information and communications technology providers (ICT), all organizations with IT hardware and end-of-life electronic equipment present a data breach risk resulting from incorrectly wiped, disposed of or resold electronics equipment, which often contain private and/or confidential information. While a large-scale singular event affecting ICT providers is not the primary concern for the insurance market regarding ITAD, a risk that universally impacts all sectors and sizes of businesses must be examined.

In a recent study by Foundry and Iron Mountain, 45 percent of surveyed IT leaders state they have concerns about managing and tracking IT assets throughout their life cycles, and nearly half of the leaders polled have concerns around sensitive data entering the wrong hands. However, despite these concerns, the results showed that over 40 percent of the IT leaders did not have a formal ITAD strategy in place.

Expert ITAD and secure shipper vendors recommend companies take certain precautions when handling legacy IT assets:

• Establish clear policies for ITAD and secure shipping.
• Ensure a well-defined chain of custody for asset management.
• Continuous monitoring and review of the implemented program.
• Maintain a comprehensive inventory of assets.
• Understand where data is located within the equipment.
• Adhere to relevant data privacy regulations.

Well-written cyber insurance policies respond to data breaches and associated expenses. From forensic analysis to notification and credit monitoring services, to restoration costs to recreate or copy lost or stolen data. One additional component of cyber insurance policies, and of particular concern for disposal of IT assets, is the third-party privacy and security liability section and associated regulatory fines and penalties coverage cyber insurance contains.

With rising data breach costs now at an average of $4.45 million, representing a 2.3 percent increase from 2022 (according to IBM), all companies with data exposure residing on their networks must be vigilant.

McGill and Partners recommends IT leaders work closely with central procurement and contracting departments when establishing relationships with ITAD and secure shipper vendors. Where appropriate, companies should contractually require vendors to maintain robust cyber and errors and omissions policies to respond to errors that result in breaches of private and confidential information.

Understanding what party is responsible for data wiping and decommissioning is also key and should be explicit in contract formulation. Furthermore, organizations should partner with risk quantification experts to help measure their data breach risk to ensure appropriate limits are maintained by both the company and vendors utilized for services.

Finally, partnering with a specialty broker to ensure vendor risk is appropriately responded to when confidential information is out of the company’s care, custody and control is paramount. For industries such as financial services and healthcare where private and/or confidential information is analogous to business, consider ITAD and secure shipper specific programs that address legal liability arising out of mishandling of confidential data supplied to vendors.

The cybersecurity landscape continues to evolve at unprecedented rates, and companies often look only at the horizon for new opportunities and pitfalls. IT asset disposition looms in the rearview but can cause significant financial harm when not prepared for appropriately. Ensure best practices and data hygiene principles are followed to avoid a costly event.

*This article was originally published by Insurance Journal, CM’s sister publication