The manager of a fine hotel would never allow an electrician or plumber to work without being insured; it's standard fare on service contracts in the physical world. Not so in cloud computing, where provider coverage in the form of cyber insurance
Such large cloud computing providers as Salesforce.com Inc. do carry cyber insurance to mitigate the risk of data breaches or unexpected downtime, but "smaller providers are not carrying insurance and have no plan to [do so] until the larger customers push back and say, 'You're in our risk profile now,'" said Drew Bartkiewicz, vice president of technology and new media markets at The Hartford Financial Services Group, a cyber insurance company based in New York.
For the cloud computing model to work, cloud customers, as well as cloud providers, need to share the risk, according to Drue Reeves, director of research for the Burton Group in Midvale, Utah. If a provider were wholly responsible for the data of hundreds or thousands of tenants, it simply wouldn't be able to buy enough insurance to cover the liability. To protect themselves in this risky situation, cyber insurers generally cap their policies at $10 million or $15 million, forcing providers and large customers to keep shopping, experts said.
"It's basically the rule, not the exception, that a large technology provider, which is essentially what cloud companies are, will buy a primary policy and add layers to create a massive insurance policy," said Robert Parisi, senior vice president at Marsh Inc., a cyber insurance broker and risk adviser in New York, who participated in a panel of lawyers and insurance brokers at the Burton Group's recent Catalyst conference in San Diego.
Salesforce.com, for example, carries cyber insurance policies into the "tens of millions," according to John Moss, deputy chief counsel and head of commercial practices at the San Francisco-based company. Yet that amount pales in comparison to the "potential for catastrophic loss in the billions," he said. Unlike on-premises applications, where the data resides at the customer's facility, Salesforce.com sits on data provided by 70,000 customers. "There's a big liability difference and a big potential exposure difference, both for the vendor and the customer."
Financing cloud risk
There are lots of reasons why some cloud providers don't buy insurance. Among them: They think they won't get hit, they spend more on security technology than the next cloud provider -- and nobody says they have to. Because most of the cases involving data breaches have been settled out of court, the legal principles that guide such measures have yet to be formed, experts said.
Thus, both the provider and customer need to protect themselves through risk transfer, Reeves said, suggesting insurance might not be the only way to do it: "Maybe they both have a risk policy, or both have risk mitigation along with an exit strategy, or they spread the applications across multiple cloud providers." Actuarial-based means are a poor way to transfer risk, he said. If the industry is truly going toward a utility model, "It's better to do it with derivatives and futures, but those markets don't exist yet."
Smaller providers are not carrying insurance and have no plan to do so until the larger customers push back and say, "You're in our risk profile now."
Drew Bartkiewicz, vice president of technology and new media markets, The Hartford Financial Services Group
Traditional industries -- banking, energy, retail and law, for example -- are buying cyber risk insurance at a faster clip than technology providers are because they understand the laws of unintended consequences, Bartkiewicz said. "The economics of failure are quite catastrophic. These are stock-impacting events, not peripheral IT nuisances."
With supply chains becoming "liability chains," cloud providers and large businesses are hedging with $100 million or $500 million in cyber insurance backstops. "That might cost, let's say, $15 million or $20 million," Bartkiewicz said. This will lead to economic discussions, such as "is that money better spent there for shareholder protection, or on $15 or $20 million worth of technology for security?" he added.
The question becomes, "Am I buying insurance for my own negligence or for the negligence of the people I do business with?" said Marsh's Parisi. It's similar to the owner of a building who hires an architect to do some work, and purchases an insurance policy to cover the architect's liability, he said. "We've reached something like that with the cyber and e-commerce insurance. A standard part of a contract is a set of insurance requirements, and often what we will see among providers and customers is a give and take [over who carries what type of insurance]."
When cloud providers head down the rabbit trail
The scope of liability in a worst-case scenario is beyond our expectations, the experts said. With cloud providers layering, or "stacking," insurance policies to give themselves a cyber cushion, analysts worry that enterprises are aggregating risk among a few giant insurers, which will be able to assume only so much risk. "Do we run out of insurance providers? At some point, I think we do," Burton Group's Reeves said. "Will they become too big to fail, another AIG?"
Or what happens when several Fortune 500 companies put their apps on a cloud that fails? "If the [insurance] provider goes down, it could actually hurt the GDP," Reeves said. Or what if a cloud provider goes bankrupt? Usually, the first people to get a crack at money are the creditors, he said. "If that means selling off equipment, there needs to be some sort of escrow fund so that the provider can operate long enough -- say, 30 days -- for the consumers to retrieve their data."
Ultimately, the cloud should enable computing resources to be bought and sold like electricity, with an open market exchange providing an option to buy compute power from someone else when a provider fails, Reeves said.
Let us know what you think about the story; email Laura Smith, Features Writer.