The ability to outsource a company’s technology infrastructure to a third party via cloud computing may seem like a dream come true—until the cloud arrangement breaks down. In April 2011, many Web sites that used Amazon’s cloud services business for hosting went down when Amazon encountered technical difficulties.
Businesses that rely on cloud computing risk losing revenue or facing extra expenses if the cloud provider experiences problems, says Robert Parisi, network security and privacy practice leader at insurance brokerage Marsh.
“When you put something into the cloud, you’re taking an aspect of your operations or infrastructure and handing it over to a third party,” Parisi says. “If that third party doesn’t deliver or is unavailable or for whatever reason just doesn’t get the job done, as a company you’re becalmed.”
And more companies could find themselves in that situation in coming years. A recent Cisco survey of 1,300 IT executives in 13 countries found that 20% expect to have moved more than half of their applications to the cloud by the end of this year.
One tricky question is the extent to which companies’ insurance covers losses caused by cloud computing problems. Scott Godes, counsel at the law firm of Dickstein Shapiro, calls cyber coverage “the Wild West of insurance.”
“It’s a new marketplace, and new things are coming about,” he says. “The forms vary from carrier to carrier, and vary by year to year for each carrier as they continue to improve the coverage that’s offered.”
Godes notes that it’s rare to see the term “cloud computing” in a cyber policy and advises that companies look carefully at the wording of their policies. “It’s important to pay attention to things like what is the scope of the term ‘network,’” he says. “If that term is written in a way where it could encompass the outsourcing of hosting or support, you have a strong argument that cloud services are covered.”
Companies also should look carefully at their contract with their cloud provider to understand what it will and won’t do for them in case of problems, Godes says. “Understanding that will help you with your risk transfer process, help you decide what is most appropriate.”
Marsh’s Parisi says coverage for cloud computing problems has been limited because cyber policies traditionally dealt with a loss of revenue related to the insured’s computer system. “So while they do take into consideration aspects of a third party’s system that the insured has brought in, they don’t contemplate a full outsourcing,” he says. Moreover, cyber policies usually provide only a small sublimit, perhaps of $100,000, for dependent business interruption, he adds.
In response to that situation, Marsh recently rolled out a CloudProtect endorsement, which will cover a company’s losses or additional expenses resulting from problems experienced by its cloud service provider. CloudProtect also covers the cost to the company of switching to a new provider. And Parisi says Marsh has put together insurers that are willing to provide up to $5 million of coverage for the various primary and excess layers of coverage.
“If the cloud provider fails, there’s going to be a loss of revenue, there’s going to be extra expense,” he says. “You can’t have it continue to be at this $100,000 sublimit. What we’ve done is say look, that’s failing to recognize the way the world works today.”
Of course, many companies don’t purchase cyber coverage at all. A survey released in October 2011 by Advisen and Zurich found just 35% of companies purchased cyber liability insurance.
But Ben Beeson, a partner with Lockton Cos. in London, says demand for cyber insurance is growing, particularly among companies in heavily regulated industries like healthcare and financial services. In large part, that reflects concerns about another risk covered by cyber policies, that of data breaches and privacy, Beeson says.
“A broad cyber policy will cover both the operational side, the contingent business interruption and also the data security and privacy risk, whether it’s a breach on your own network or a cloud provider that you have outsourced to,” he says, adding that big cloud providers tend to assume very little responsibility for indemnifying their customers for such problems.
There have been plenty of examples of data breaches, including the recent LinkedIn incident involving six million of its customers’ passwords.
“Many people now are aware of the risk, and they want to do everything they can to lock it down from an IT perspective,” Beeson says. “Once they’ve done that, they ask ‘What is my residual risk if I have a data breach or violate a privacy law and do I want to get it off my balance sheet?’”