ORLANDO, Fla. —To properly underwrite cloud risks, underwriters must peel away the mystery that surrounds them, an expert said Monday.
Albert W. Zollar discussed the topic at a session called “Who is Watching? Cyber Security in the Cloud” during the 26th annual Professional Liability Underwriting Society's International Conference in Orlando, Fla.
Mr. Zollar, who retired in 2011 as general manager of IBM Tivoli Software, a unit of Armonk, N.Y.-based IBM Corp., said a critical question for underwriters with regard to cyber security is who is watching that information, a group that can include malicious employees, criminals, nation states and even the U.S. National Security Agency.
The cloud, he said, presents the opportunity to spread fixed costs by sharing expenses and is “economically compelling.” But if that is the case, why isn't everyone in the cloud? “The one-word answer is risk,” Mr. Zollar said.
The cloud environment is less transparent and “more mysterious” than the noncloud environment, and it is not known where data is stored at any given moment, he said. “As underwriters, you need to demystify the cloud” to write high-quality coverage, he said.
Mr. Zollar said his mentor used to tell him, “You get what you design for.” An issue underwriters must be concerned with is whether the cloud system providers designed their service with security in mind, rather than as an afterthought.
He noted that systems can be designed to issue alerts when even the “most trusted employee” is accessing a system in an “unusual way.” An important element is the quality of the system provider's “change management,” which oversees updates to the system.
Mr. Zollar said steps underwriters can take to take advantage of opportunities presented by the cloud include finding a partner with which to work; monitoring the emergence of secure cloud providers; looking at hybrid cloud designs, which include elements of private and public clouds; using the skills of underwriters' own information technology organization; and reading and commenting on the preliminary security framework recently proposed by the National Institute of Standards and Technology.
Business Insurance's digital coverage of the 2013 PLUS International Conference in Orlando, Fla., is sponsored by Ace. To view all the Digital Daily news and related content in its ideal form, use a nonmobile browser to visit www.businessinsurance.com/PLUS2013.