Cloud computing is generally understood to mean the provision of applications and services offered over the Internet. These services are offered from data centers all over the world, which collectively are referred to as the “cloud.” This metaphor represents the intangible, yet universal nature of the Internet (thanks to TechTerms for this definition). Cloud services include the hosting of data on the provider’s servers.
As many cyber commentators are noting, this movement of data from the insured to the cloud service provider is a material change in the exposure to loss; data are now held (and we hope protected) by a third-party. Data in the hands of third-party service providers isn’t actually a new concept, but hosting the data on a large-scale basis is new(er).
Does this increase the risk of data breach? Decrease it? What are the implication for insureds, cyber insurers, and reinsurers?
Increased risk to insureds and their insurers:
- The data are out of your control; you are vulnerable to the data protection standards and execution of another party. Will their standards be as strong as yours? Executed as well as yours? If the standards and execution change, will you be informed? If so, what if the changes aren’t to your liking? What are your options? It may not be as simple as changing providers.
- Not only is another company now holding your data, the fact that it is now concentrated in a more public (cyber) location may make it more of a target. Hackers may not know that your data exist, but they may target the holder of your data for reasons beyond you (maybe the service provider has angered the activist hacker community, or another one of their clients becomes a target, and your data get caught up in the attack).
- What happens to your data if the service provider goes out of business?
I acknowledge that there can be contractual protections against these types of problems, but are they foolproof? I doubt it.
- For insurers, the concentration of risk should be a worry; there is little reinsurance purchased for cyber policies, and insurers should be very concerned about a single breach that affects numerous insureds now that they are in the cloud. Accumulation risk has always been a concern; it seems as though the cloud makes that risk exponentially greater.
Decrease in risk to insureds and insurers
- Cloud computing is often described by commentators as a one-way change in risk, but we aren’t so sure. Many cloud users are smaller organizations, including many start-ups. These users may not have the resources, insight, and patience to construct and maintain strong security measures. For them, maybe the cloud is actually a safer environment.
- If an organization uses the cloud, and the vendor(s) have strong data protections that are known to underwriters, maybe it will make the job of underwriting easier and more successful? Sometimes protecting a single point of risk can be more effective than protecting many points.
Implications for reinsurers:
- We spoke above about accumulation risk; this worry should extend to reinsurers to the extent cyber is being reinsured – but it also presents an opportunity for creative reinsurance products to protect primary insurers from a single breach/many insureds loss.
So, I think that the increased use of cloud computing brings increased risk, but also increased opportunity, for insurers and reinsurers. Cloud risk can be managed, data protection investments can be spread over more data, and active defense (see my earlier post ‘I am growing increasingly worried…”) may be available to beat back the bad guys.
And finally – might cyber risk insurance distribution be changed from data holders buying insurance individually to it being provided by the cloud service provider?
What do you think?