Cloud Providers and Cyber Insurance
A data breach claim for a cloud provider is in reality a Professional Indemnity (PI) claim. In most cases, the cloud provider has no direct liability to the individuals whose data have been breached. However, there may be a claim from companies that use them as their cloud provider for failing in their performance of services (in this case, keeping the company's data secure).
Cloud providers need to make sure that their PI policy will respond to cyber-related claims, because a cloud customer may demand to be compensated for direct and third-party (liability) costs incurred as a result of the breach.
For example, a customer may say it cost them millions of pounds to deal with notifying their customers about the data breach, or that they lost business as a result of the provider's failure.
Keep in mind that even though a cloud provider contract limits liability, it's not clear how successful this contract would be when it's time to pay a claim. If the cloud provider is truly negligent, the court may decide that the liability limits on the contract will not apply.
Insurers and Cyber Policies
Insurers don't worry about A policy for the cloud provider, it's the threat of a single breach impacting multiple customers of the cloud provider.
If an insurer writes 10,000 policies for customers of one cloud provider, and every single one of them makes a claim because of a breach, that's an aggregation problem.
This is a challenging unknown because the exposure is not something insurers can easily map. In property underwriting, for example, insurers can analyse their aggregated exposure to floods by post code. Cyber underwriters are starting to ask more questions about the number and type of cloud providers their clients are using, but the data is largely anecdotal so far.
We fully expect insurers to figure out how to analyse their exposure on cyber policies and the cloud. Eventually, this could lead to limitations on insurance capacity, and insurers may decide that they can only handle a certain number of policies for customers of each cloud provider.
In conclusion, the cloud has provided extreme efficiencies for businesses and in many cases, improvements in security. Cyber threats continue to be a growing issue and add some complexity to the insurance and risk management decisions.
The bottom line is that when storing data in the cloud, your best bet is to ensure the risks are managed just as tightly as if you were storing it on your own systems.
|