How the Cloud is Transforming Cyber Liability by Jacquelyn Connelly

24/01/2015 17:03

According to a recent survey conducted by Hanover Research and sponsored by ISO, 40% of companies don’t think they need cyber coverage and 29% believe they’re already covered under existing policies.

They’re wrong.

“We spent the last year hearing about giant corporations being hacked into—Target, JP Morgan, Chase,” says economist Bob Hartwig, president of the Insurance Information Institute. “But as you get down to Main Street businesses, the reality is everyone has cyber exposure. Increasingly small risks and medium-sized businesses are looking for some type of protection.”

And as consumer interconnectivity continues to rise—Shawn Dougherty, assistant vice president of specialty commercial lines at ISO, says 30-40 billion wireless devices will be in use by 2020—cyber liability insurance must address new concerns.

“As all these devices start talking to each other more and more, what type of data is being collected?” Dougherty asks. “What’s happening with that data? As companies collect more and more data, what are they doing with that data? Is there a need for them to keep that data, whether it’s PII or PHI?”

In particular, the cloud will continue to redefine the IT landscape. Offering significant benefits to businesses including reduced technology infrastructure costs, speed, scalability and enhanced security and backup capacity, it’s opening the door for new opportunities—and new risks to manage.

“Companies no longer have to require significant amounts of hardware and software—they can just outsource it, with cloud acting as a utility,” says Matt Prevost, vice president with professional risk for ACE USA. “That changes the dynamic of how much computing power they need, and it’s scalable so they can be extremely agile and extremely mobile.”

But according to a recent whitepaper from ACE Group, “Cloud Computing: Is Your Organization Weighing Both Benefits and Risks?”, today’s risk managers must fully understand the different delivery models of private and public cloud services and how the different deployment methods and uses can impact an organization’s risk. As companies increasingly outsource cloud services to third-party vendors, they face increased cyber exposures when operating business through the cloud, including unfavorable terms in cloud contracts, loss of control of data and compromised data security.

“A lot of what we see from a claims perspective arises out of third-party mistakes, so vendors that may not have secure passwords or the contract that a company is engaging with isn’t as strong and they don’t have the strongest sense of controls,” Prevost explains—and that makes due diligence when hiring cloud providers essential.

“Let’s say when these breach events happen it’s data that is stored on the cloud,” Prevost says. “What provisions of the contract enable you to access or not access the cloud’s security measures or the forensics associated with the cloud provider? Understanding that your contract may or may not prevent that is important.”

An adequate risk management plan must incorporate a culture of privacy, first migrating low-risk data, identifying shared security responsibilities with the provider and assessing potential security risks.

“Every employee has some sense of data security. I think we oftentimes forget that we see, we interact and we use data constantly, and it’s not necessarily one position that’s responsible for it,” Prevost points out. “So it’s not just the CIO or a CISO or a risk manager or legal or the board—it’s really making sure everyone in the organization accepts that and implements training and really ensures that each segment of the company understands just a high level of how technology interacts with that different division.”

An increasing number of packages from an increasing number of insurers provide everything from front-end protections “to make sure that the systems are at least resilient to attacks,” to back-end forensics, “meaning getting to the bottom of what happened and remedying it,” and everything in between, Hartwig says. “The insurance piece of it can cover costs from individuals who have had confidential information stolen or lawsuits waged against the company and even various types of business interruption loss.”

It’s understanding risks like these—and communicating them to commercial clients—that eases the process of convincing smaller businesses they need cyber liability coverage. “Agent education is critical,” Dougherty says. “They need to become aware of what the exposures are for cyber, what coverage options are out there, so when they meet with their customer they can talk intelligently and demonstrate they do have the exposure and why they should buy coverage.”

Jacquelyn Connelly is IA senior editor.

See more at: