Monday, July 11, 2011

Cyber-insurance: Limiting liability in the cloud

Cyber-security has become a stock-value influencing issue.  With the seemingly periodical reports of data breaches occurring, companies that have an online presence or make use of online cloud computing services are reassessing the manner in which they protect their data. 

Photo by Renjith Krishnan
What happens, however, when the security fails?  The answer: cyber-insurance.  This relatively new form of insurance (being offered for approximately five years now) makes available coverage for liability resulting from any number of possible scenarios including misappropriation of data, hacker/virus infiltration, data corruption etc.  

Considering the amount of damages resulting from a data breach can rise into the millions (or potentially billions), cyber-insurance presents itself as a sober contingency in the event that an entity’s security or the security of their third party provider fails.

Though businesses that make use of third-party cloud vendors for the storage and/or processing of their data should look into acquiring cyber-insurance, it is a common practice in the industry that cloud vendors themselves have insurance policies in the event that they are found to be liable for damages.  

Take the case of a law firm utilizing a third-party cloud provider to store valuable information containing case strategy, financial information and so forth.  The standard rules of professional liability apply in that the data owner (in our scenario the law firm) is ultimately responsible for the safety and integrity of the data entrusted to them.  This means that if the client is going to sue someone it will most definitely be the law firm, not the cloud service provider.  

What if it is found out that in storing the data, the third-party cloud service provider committed some act of gross negligence in being reckless or careless with the firm’s data? In such a case, the cloud service provider is open to liability and would be able to make use of insurance coverage that extends to this sort of situation.
A 2009 estimate placed the cyber-insurance business at $450 million. Some have put forth research however, that though the cyber-insurance industry is growing in size, its long term sustainability is in question. The logic behind this claim has to do with the trend in online tech of everyone gravitating towards the big fish.  This makes it considerably easier for hackers to affect a large number of people with a single attack.  An effective attack on Facebook for example would have a profound effect due to the sheer amount of personal data in play. Those who make use of smaller competitor software solutions will ultimately be safer even though these smaller firms cannot afford to spend the same amount on security as larger firms. 

Insurance companies may see the size of the “big fish” and decide that the risk of taking them on as a client is simply too high and that the companies potential for growth is insufficient to justify taking on such a high risk.
At the 2010 Gartner's Catalyst Conference, Bob Parisi said that the common practice in the cyber-insurance industry is for businesses to purchase a main policy and then layer that policy with additional coverage from other providers to form a single mega policy that will offer an acceptable level of coverage.  This seems to be the current practical response to the theoretical quagmire mentioned above.

At the same conference, Drew Barkowitz pointed out that at one point, any business will see a diminishing return on security expenditures.  He explains that if you spend 12% of your capital on security and are at a certain level, spending 36% will not necessarily make you three times more secure. From this perspective, cyber-insurance seems like an almost obvious contingency measure and one that makes the most financial sense. 

The fact of the matter is that we haven’t reached the point yet where insurance providers are categorically shying away from offering large firms cyber-insurance coverage.  Cyber-insurance is still a viable way for businesses to mitigate risks associated with storage and processing of data online. 

The industry is still growing and learning about itself and will likely become a lot bigger before it gets any smaller.  

Considering the increase in both intensity and frequency of data breaches, cyber-insurance may be the only true financial back-up plan amenable to a business in the event of a massive security failure.  It will be interesting to see how this up and coming domain of insurance flourishes in the world of high volume cloud computing and how the former will be influenced by it.

No comments:

Post a Comment