BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
As cloud computing extends into more enterprises, businesses are searching for ways to mitigate potential risk. Companies have become adept at examining their providers' business processes and determining how robust they are, but data shows they remain concerned about cloud security and its reliability. Recently, businesses have been taking out cloud insurance to protect themselves from possible losses. Though these insurance policies are emerging, they are hitting roadblocks to full success in the marketplace.
For more than a decade, insurance companies have offered corporations plans to cover various types of IT outages: privacy breaches, lawsuits and lost business opportunities from system downtime. In 2011, the U.S. Securities and Exchange Commission issued a decree asking domestic firms to provide shareholders with disclosures about possible IT exposure as well as steps to remediate any losses.
Five years ago, there were a dozen cyber insurance suppliers; now there are more than 70.
SVP at Willis Group Holdings
The IT policies have been lumped in a bucket dubbed "cyber insurance," but whether they cover cloud failures is unclear.
"Cyber insurance policies were designed for premises-based systems," said Doug Weeden, director of program administration at CyberRiskPartners LLC's CloudInsure. Consequently, some cyber liability policies exclude losses incurred by a third party, such as a cloud provider, but others include clauses that protect the client regardless of where the data is stored. So, businesses need to closely examine their policies to see if cloud coverage is included.
While interest in such policies has grown, it remains largely a work in progress. Most companies do not carry insurance for cloud or other IT breaches, according to a survey by Willis Group Holdings, a global risk advisory, insurance and reinsurance broker. As for cyber insurance protection, the funds sector of companies reported the greatest levels of insurance at 33%, followed by utilities companies at 15% and the banking sector and conglomerates at 14%. Insurance and technology sectors both disclosed the purchase of IT insurance coverage at 11% of companies -- but most companies have no coverage.
However, growing maturity and interest in this market could signal a change for cloud insurance. "Five years ago, there were a dozen cyber insurance suppliers; now there are more than 70," said Tom Srail, senior vice president for the technology practice at Willis. For instance, Chubb Group of Insurance Companies entered the cyber insurance market in August 2013.
The current low penetration rate of cloud-specific insurance and the emerging need may attract more new market entrants such as CloudInsure, which was founded in 2010. In addition, the MSPAlliance, an association of service providers that in 2013 partnered with broker Lockton Affinity LLC to provide cloud insurance. In June, insurance provider Liberty Mutual began offering cloud insurance policies as part of a partnership with CloudInsure.
Who is buying cloud insurance?
Currently, IT insurance is available through underwriters and is typically purchased by a risk manager or a chief financial officer. Consequently, its use has been limited to large enterprises that understand the risk and are willing to pay for expensive policies. Policies start in the five-figure range and can exceed the $1 million mark, depending on the risk factor. In some cases, enterprises have experienced hundreds of millions in losses from data breaches involving millions of records.
Longer term, the market is expected to expand to smaller businesses.
"The insurance industry now has enough history to understand what the risks are, so they are in a better position to price their policies and cover possible liabilities," said Srail. Eventually, insurance could be available as an option from cloud providers and included in service-level agreements.
About the author:
Paul Korzeniowski is a freelance writer who specializes in SaaS computing issues. He has been covering technology issues for more than two decades, is based in Sudbury, Mass., and can be reached at firstname.lastname@example.org.