Cloud computing risks generally covered by cyber insurancePosted On: Jan. 12, 2012 6:41 PM CST
Insurance coverage for cloud users generally falls under firms' cyber risk policies, observers say.
That's because cyber policy language generally is broad enough to cover cloud computing, and observers say they do not anticipate the need for separate cloud computing policies.
Cloud providers are “a new twist on the old outsourcing, so it hasn't moved the needle much in the cyber insurance process,” said Tom Srail, Cleveland-based senior vp of FINEX North America at Willis North America.
Insurance coverage is an important issue for cloud computing users because cloud service providers generally accept little if any liability, said Nicholas Economidis, Philadelphia-based underwriter of professional liability and specialty lines at Beazley P.L.C.
“That's something that's traditionally been a tug of war between service providers and anyone seeking to outsource. The vendor wants to accept as little responsibility as possible,” he said.
Providers' limitation of liability is “usually going to be a number that's small relative to the potential damages you may suffer,” said Sandy Codding, Boston-based leader in the U.S. commercial errors and omissions advisory practice of Marsh Inc.'s FINPRO unit.
“From the start we have to protect the insured and their interests,” said Scott Schleicher, Exton, Pa.-based underwriting manager for technology and cyber risk liability with XL Insurance's Select Professional unit. “They're going to be the ones” who must notify those affected by the data beach, who consider them to be the parties that were holding the information.
“Most people don't know their information is being held by some third party,” Mr. Schleicher said.
Scott N. Godes, of counsel at law firm Dickstein Shapiro L.L.P. in Washington, said he has seen few if any policies where cloud computing is specifically named in an insurance policy, but liability policies and even first-party policies typically are written so that the language covers cloud computing.
In addition, there are variations among various insurers' forms and even within multiple forms offered by an individual insurer, said Mr. Godes. “Close attention should be paid to when the term "computer system' or "computer network' is defined, if those are the operative terms of what is covered,” ensure problems related to cloud service providers are covered, he said.
Steven Gilford, a partner with Proskauer Rose L.L.P. in Chicago, said, “There are lots of issues with respect to cyber policies, and what they actually cover and what they actually don't.” These policies “are not necessarily consistent, and they're not common forms, and the forms change from year to year,” he said.
“You need to look at how your insurance matches up against whatever indemnifications and protections you're getting from your service provider,” he said.
In many ways, it is comparable to the traditional supply chain problems, he said. “It's just a more technical, complicated industry,” Mr. Gilford said.
Tim Stapleton, assistant vp and product manager of professional liability at Zurich North America in New York, said that among the questions Zurich underwriters ask are: how often and in what capacity is the potential insured engaged with the cloud provider; what is the nature of the data that may be stored in the cloud; to what extent is the potential insured vetting the cloud provider's security; does the cloud provider actually outsource any data or functions; who is responsible for an incident response in the event of a data breach; and what contractual revisions can be negotiated to protect the insured.
“Ultimately, the insurer wants to know who will be responsible for the economic costs associated with responding to a breach,” Mr. Stapleton said.
However, Gene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security in West Lafayette, Ind., warned, “This is an area where potentially catastrophic losses can occur that really can't be covered from insurance.”
If all of a company's proprietary data, customer lists or financial records disappear, “it really doesn't matter what the insurance coverage is, because they're gone,” he said.
Cyber insurance is “intended to recover from an unexpected event” but not a catastrophe, Mr. Spafford said.