Viewpoint: IT Asset Disposition Is Growing Cyber Security Threat for All Organizations

September 19, 2023 by

Cyber risk headlines are dominated by rising ransomware activity and soaring global data breach costs. The increased ransomware activity, driven largely by threat actor financial motives, has indiscriminately affected all industry segments – from large corporate clients to small to midsize enterprises alike.

As a consequence, the cyber insurance market has witnessed notable changes. Both from a direct and reinsurer viewpoint, we have experienced pared-back coverage, increased pricing per million dollars of cover and limited capacity. While these developments top headlines, it is not the sole exposure point for corporations. A less discussed, but also perilous exposure is the growing IT asset disposition (ITAD) and secure shipping industry, and the associated data breach risks.

All organizations with IT hardware and end-of-life electronic equipment present a data breach risk resulting from incorrectly wiped, disposed of, or resold electronics equipment, which often contain private and/or confidential information.

ITAD and secure shipping refers to the industry around repurposing, recycling, reusing, or disposing of obsolete physical IT assets. Take the example of decommissioning a data center, where ITAD and secure shipper vendors in partnership with clients handle the logistics around decommissioning IT assets, from the secure wiping and removal to the potential reuse, resell, or disposal of equipment.

The global market for ITAD is estimated by multiple sources to be around US$16 billion at year-end 2022. Projections suggest that this industry is set to nearly double by 2030, with estimates ranging from US$30 billion to US$32 billion. Also quantifiable is the expected tonnage, most recently estimated at 53.6 million metric tons at year 2019, expected to grow to 74 million metric tons by 2030.

But why, and how is this relevant to cyber security? The sector’s growth can be credited to three main drivers:

These factors have further fueled an already booming industry, and in their wake leave an ever-growing risk of an unintentional data breach resulting from wrongfully disposed of or transported IT assets.

Consider traditional systemic cyber risk as we examine the data breach risks associated with ITAD and secure shipping of IT assets. Similar to systemic cyber risk across information and communications technology providers (ICT), all organizations with IT hardware and end-of-life electronic equipment present a data breach risk resulting from incorrectly wiped, disposed of, or resold electronics equipment, which often contain private and/or confidential information. While a large-scale singular event affecting ICT providers is not the primary concern for the insurance market regarding ITAD, a risk that universally impacts all sectors and sizes of businesses must be examined.

In a recent study by Foundry and Iron Mountain, 45% of surveyed IT leaders state they have concerns about managing and tracking IT assets throughout their life cycles, and nearly half of the leaders polled have concerns around sensitive data entering the wrong hands. However, despite these concerns, the results showed that over 40% of the IT leaders did not have a formal ITAD strategy in place.

Expert ITAD and secure shipper vendors recommend companies take certain precautions when handling legacy IT assets:

Well written cyber insurance policies respond to data breaches and associated expenses. From forensic analysis to notification and credit monitoring services, to restoration costs to recreate or copy lost or stolen data. One additional component of cyber insurance policies and of particular concern for disposal of IT assets, is the third-party privacy and security liability section and associated regulatory fines and penalties coverage cyber insurance contains.

With rising data breach costs now at an average of US$4.45 million, representing a 2.3% increase from 2022 (according to IBM), all companies with data exposure residing on their networks must be vigilant.

McGill and Partners recommends IT leaders work closely with central procurement and contracting departments when establishing relationships with ITAD and secure shipper vendors. Where appropriate, companies should contractually require vendors to maintain robust cyber and errors and omissions policies to respond to errors that result in breaches of private and confidential information.

Understanding what party is responsible for data wiping and decommissioning is also key and should be explicit in contract formulation. Furthermore, organizations should partner with risk quantification experts to help measure their data breach risk to ensure appropriate limits are maintained by both the company and vendors utilized for services.

Finally, partnering with a specialty broker to ensure vendor risk is appropriately responded to when confidential information is out of the company’s care, custody, and control, is paramount. For industries such as financial services and healthcare where private and/or confidential information is analogous to business, consider ITAD and secure shipper specific programs that address legal liability arising out of mishandling of confidential data supplied to vendors.

The cyber security landscape continues to evolve at unprecedented rates, and companies often look only at the horizon for new opportunities and pitfalls. IT asset disposition looms in the rearview but can cause significant financial harm when not prepared for appropriately. Ensure best practices and data hygiene principles are followed to avoid a costly event.