Be wary of hosting data in the cloudReprints
Utilizing a cloud platform can give an organization access to a host of enhanced security features, but it also comes with its own set of security risks.
Companies should therefore evaluate and measure their needs carefully before deciding to use the cloud, experts say. “A move to the cloud is not without its own risk considerations,” said Scott Corzine, senior managing director with Ankura Consulting Group L.L.C. in New York.
“For some companies, it can absolutely be a real advantage in moving to the cloud because they get the benefits of a significantly expanded set of security resources and capabilities beyond what they reasonably could afford to create themselves,” said Thomas Reagan, cyber practice leader for Marsh L.L.C. in New York.
“There’s no question that insurance companies that are smart about this space are asking questions about their prospective clients’ cyber security habits, and I think the general notion is that if you go with a reliable cloud firm, cloud platform security is typically better than the average policyholder’s security,” said Josh Gold, a partner with Anderson Kill P.C. in New York.
Cloud platforms bring expertise and critical mass to clients, experts say.
“The large cloud providers are sophisticated companies,” Mr. Corzine said. “They have a footprint and environment that has servers everywhere, so there is plenty of failover, plenty of mirroring and plenty of disaster recovery capabilities built into the system that a typical company probably can’t afford,” Mr. Corzine said.
Cloud providers can also help enterprises quantify their exposures.
“Cloud-based business and organizations have a more secure operating stance by virtue of a shared security responsibility model with Microsoft as well as access to powerful tools to measure risk and remediate it often with precise guidance and automated means,” said a Microsoft Inc. spokeswoman in an email.
“Those respondents using the cloud were more than 50% more likely to have used a quantitative method to evaluate their cyber risk than non-cloud users,” Mr. Reagan said.
In the Marsh-Microsoft Global Cyber Risk Perception Survey, 68% of 1,312 respondents said they use the cloud.
Cloud platforms can also offer a more integrated approach to cyber defense.
“One of the biggest challenges for network defenders of on-premises assets is that their tools to protect, detect and respond are not integrated,” the spokeswoman for Microsoft said via email. “As a result, protections are not applied holistically and the detection to recovery window, also known as attacker dwell time, is far too wide.”
Potential cloud clients should be well aware of any variables associated with enlisting a cloud platform.
Utilizing a cloud platform may require a broader coverage, Mr. Reagan said.
A policyholder should also pay strict attention to any service agreement entered into with a cloud provider, sources said.
“A policyholder should make sure to have some form of contractual protection with a cloud services provider for issues such as notification in the event of any incident on the third-party platform and not just one affecting the policyholder,” said Mr. Gold.
A policyholder will also want to have some sort of cooperation agreement with a cloud services provider to make information available to investigators and regulators, Mr. Gold said.
“If I am a policyholder and I’m using the cloud, especially for any type of sensitive information, I will definitely want to have some sort of contractual leverage to pull information in the event of any cyber intrusion,” Mr. Gold said.
Policy forms are another potential issue for policyholders.
There are more than 70 primary cyber policy forms in the market, according to Mr. Gold. “Some will cover you automatically for a hack or security incident that takes place on a third-party platform like a cloud platform. Some, however, will not.”
There may also be the question of risk concentrations on any one cloud provider.
“Aggregation management is certainly something about which the carriers talk to us on a regular basis,” Mr. Reagan said.
Underwriters could play a key role in helping manage aggregation and concentration issues, according to Mr. Gold.
“From a general assumption that that is true; I think you would see underwriters somewhat comforted by using a reliable cloud computing firm. But smart underwriting will also ask about how data is being handled and which information is being put on the cloud,” Mr. Gold said.
“One of the things underwriters may consider is, as a condition of coverage, to ask a potential insured to consider using or diversifying to more than one cloud provider to balance risk,” Mr. Corzine said. “I think the insurers may have the power to drive this more than anyone else, given their risk-concentration stake in the outcome.”