Cloud Computing, it’s as if the term was coined just to keep insurance companies in a fog.
Early in 2010 I was introduced to Michael Abrahamsson. Michael is the CEO of Ilait, a market leading cloud computing and hosting wholesaler based in Sweden and a Board Member of Eurocloud. Ilait was looking to expand and deploy their services into the US and Michael had been referred to me to assist with placing insurance.
Insuring a provider of cloud computing services can be extremely difficult. Just communicating the exposure to insurance company underwriters who may not be familiar or understand the risk can be very challenging. Cloud computing typically consists of services such as Saas, utility computing, web services, platform as service, managed service providers, service commerce platforms, and internet integration. Exposure to loss comes in the form of business interruption/service interruption, data privacy breach/loss, and other financial loss due to the performance of service/product.
In a 2010 report from the Cloud Security Alliance the most significant threats to cloud computing were highlighted:
- Abuse and Nefarious Use of Cloud Computing
- Insecure Application Programming Interfaces
- Malicious Insiders
- Shared Technology Vulnerabilities
- Data Loss/Leakage
- Account Service & Traffic Hijacking
- Unknown Risk Profile
These are many of the same exposures to risk as most other technology organizations, but due to the nebulous nature of cloud computing, mitigating loss can be challenging. Communicating how an organization effectively manages this risk is what enables us to offer our clients the most competitive insurance premiums available.
However, organizations providing cloud computing services are not the only ones at risk. In fact, organizations that utilize cloud computing services must understand, and should consider contractually transferring this risk to the service provider, and/or insurance.
It is critical to understand that outsourcing cloud computing services is not the same as outsourcing or transferring risk. Be wary of cloud computing service contracts that include a hold harmless provision within the indemnity agreement that strongly favors the service provider. Furthermore, requiring adequate professional liability /E&O insurance limits can be challenging considering the significant number of other parties that may also be affected.
Finally, if utilizing cloud computing services be aware that your organization will be held responsible for State and Federal Laws related to data privacy and compliance to HIPAA, SOX, PCI and FISMA (for more information on data privacy you can read my article here). An indemnity agreement written or approved from your legal counsel is the first step to a strong risk management strategy, but if you are responsible for PII (Personal Identifiable Information), a comprehensive data privacy insurance policy should be strongly considered. Selecting a cloud computing service provider that has strong security controls and implementing strong contractual risk transfer will be reflected in lower insurance premiums.
Due to the significant amount of data being computed/ stored within the cloud, it will always be a target of fraud and abuse. However, the scalability, cost, and efficiency will inevitably lead to greater use. Taking the proper steps to mitigate loss and transfer risk via contract and/or through an insurance policy will reduce risk to an organizations balance sheet, and will make it much safer to harness the power of the cloud.