The “cloud” has become a ubiquitous part of corporate IT networks. More and more companies use services like AWS, Microsoft Azure, or Google to store and process data, and many have migrated their entire network to a cloud provider. Layered on top of that are all the Software as a Service (SaaS) companies who offer services to companies on a hosted basis. A single company can have dozens of cloud relationships in their corporate network, which can make it less clear who is responsible when something fails. A common question we receive in the area of cyber liability insurance is how the cloud impacts cyber risk.
In many cases, companies can actually improve their security by shifting to the cloud. These large vendors have the resources to invest and make security a top priority, and have visibility to a large number of attack vectors, allowing them to identify threats and respond more quickly.
The challenge of the cloud is that it’s a shared responsibility between the cloud vendor and the cloud customer. Both sides have to be aware of their security responsibilities to prevent a breach, and it may not always be clear who is at fault when there is a security failure.
So, in this blog post, we’ll tackle some common questions and concerns about cyber insurance and the cloud from three different perspectives:
- The cloud customer
- The cloud vendor
- The insurer
Cloud Customers and Cyber Insurance
When it comes to language in the insurance policy, the good news is that insurers now do a fairly good job of recognizing what constitutes the cloud.
Most cyber insurance policies define a “computer system” to include third-party networks that you have contracted with to support your company. So if a breach happens, the policy will respond regardless of where the data was stored when the breach occurred. But, there are still questions about whose responsibility it is.
There are a lot of misconceptions out there around the cloud and liability. Many companies assume that they have transferred their risk when their data is in third-party hands. The reality is that in most cases, companies have outsourced the service but retained the risk. There is very little protection in terms of liability with cloud providers.
The first thing to understand about a cyber breach and the cloud is that the legal obligation rests with the company that initially accepted the data, known as the data owner. One notable exception is companies supporting the health care industry, who are considered “business associates” under HIPAA, and subject to the same obligations for protecting data as the entity with the original patient relationship. But even in that case, the liability doesn’t transfer––it just expands.
Cloud vendors have generally done an excellent job of limiting their liability, sometimes to $0 or an amount equal to one year of fees paid to them. And since the damages are generally limited to direct costs, they would not cover all aspects of a breach, like the cost of responding to regulators or dealing with customer lawsuits.
As Dan Burke discusses in the Cyber Insurance 101 post, a well-crafted cyber insurance policy will cover those third-party liability costs, as well as the direct expenses related to dealing with a breach. So having your own cyber insurance is critical to addressing the totality of exposure to a breach.
Even if you carry your own cyber insurance, however, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient.
This is something you can and should negotiate with your cloud provider before becoming a customer, and it has become a pretty standard ask, as discussed in this prior post.
Another consideration worth noting: If you rely on a third-party cloud vendor to transact business for you, and a security failure shuts them down, many cyber policies won’t cover the resulting loss of profits and extra expenses.
In recent years cyber insurers had been steadily expanding cyber business interruption coverage to include cloud vendor outages, but are now starting to limit this coverage. If this is a real exposure for you, look specifically for “Contingent Business Interruption” under a cyber policy.
Cloud Vendors and Cyber Insurance
A data breach claim for a cloud vendor is really an errors and omissions (E&O) claim. The cloud vendor usually has no direct liability to the individuals whose data has been breached, but there may be a claim from their customer for failing in their performance of services (in this case, keeping the customers’ data secure). For this reason, E&O and Cyber coverage is generally bundled together in a single policy for technology companies.
Cloud vendors need to make sure that their Cyber/E&O policy will respond to cyber-related claims, because a cloud customer may demand to be made whole for direct and third-party (liability) costs incurred as a result of the breach.
For example, a customer may say it cost them millions of dollars to deal with notifying their customers about the data breach, or that they lost business as a result of the vendor’s failure.
Keep in mind that even though a cloud vendor’s contract limits liability by default, it’s not clear how successful those contracts would hold up when it’s time to pay a claim. If the cloud vendor is truly negligent, the court may decide that liability caps on contracts don’t apply.
In determining total Cyber/E&O limits, a cloud vendor needs to think about the aggregate exposure they have to multiple customers through those contract liability caps.
Cloud Insurers and Cyber Policies
When it comes to cyber insurance and the cloud, it’s not the “one” policy for the cloud vendor that insurers worry about. It’s the threat of a single breach or outage impacting multiple customers for a cloud vendor.
If an insurer writes 10,000 policies for customers of one cloud vendor, and every single one of them makes a claim because of a breach, that’s an aggregation problem for the insurer.
This is a challenging unknown because the exposure is not something insurers can easily map. In property underwriting, for example, insurers can analyze their aggregated exposure to perils like earthquakes and floods by tracking risks by zip code. Cyber underwriters are starting to ask more questions about the number and type of cloud vendors their clients are using, but the data is largely anecdotal so far.
In conclusion, the cloud has provided extreme efficiencies for businesses and in many cases, improvements in security. But cyber threats continue to be a growing issue, adding complexity to the insurance and risk management decisions for cloud customers.
The bottom line is that when storing data in the cloud, your best bet is to ensure the risks are managed just as tightly as if you were storing it on your own systems.