Cloud Service Out? Try Cloud Liability Insurance

Melvin Greer by Melvin Greer, Lockheed Martin
Tuesday, July 31, 2012

Several premier cloud computing Service Providers have suffered disruptions in the past year – affecting millions of users. There are cases where a small number of users lose the capabilities of a particular service offering while the remaining users retain full functionality. For example, some Gmail disruptions have affected only a small percentage of the user base. In other cases, outages may take out a number of customer websites that rely on those services. When Amazon Web Services' (AWS) cloud computing infrastructure experienced a brief network outage, it knocked offline popular sites such as Foursquare, Heroku, Quora, Reddit, and Netflix that rely on the underlying AWS functionality. For private cloud-based services, any disruptions at the cloud Service Provider level can be just as traumatic.

The reality is that all cloud ecosystems and enterprise infrastructures will have disruptions to some degree, at some point in time. Cloud users need to assess their vulnerabilities and determine the best course of action to protect their assets.

For starters, cloud users should recognize that the Service Level Agreement (SLA), the formal contract between a Service Provider and a Service Consumer, doesn’t guarantee the level of service to the customer. In addition, SLA compensation is generally limited to a credit against the cost of the service and not the user's cost of the disruption.

The financial risk to the user is that the cost of the service is often a tiny percent of the cost of the outage. Other than business interruptions, other end-user concerns include exposure / compromise or loss of data in-motion to the service provider, and malicious activities either external or internal to the Service Provider.

Although not a software or system failure, data breaches at companies such as Sony with their Playstation 3 network, generally result in temporary unavailability and site downtime to resolve the security situation. According to a Ponemon Institute LLC study, data breach incidents cost U.S. companies $204 per compromised customer record in 2009 with an average total per-incident costs in 2009 were $6.75 million [1]. These figures do not take into consideration the reputation harm done to the organization.

In the United States, 46 states have enacted laws mandating customers be alerted if their personal information has been exposed. Significant costs to notify those customers in addition to potential fines and lawsuits are probable. In the case of a public payment processing company that experienced a data breach resulting in millions of compromised user account credentials, they had a significant write-off for related intrusion expenses as well as losing approximately $300 million in shareholder value. [2]

Financial losses related directly to the cybercriminals can range widely based on the specific attack; and, as a result, be difficult to estimate. However, due to the complexity of this form of targeted attack, the remediation costs can be significant. The impact on the potential damage to the reputation of the organization is harder to quantify.

Traditional general liability insurance policies for business organizations typically focus on tangible property losses or bodily injury to people. Supplemental policies are usually required to cover IT related events.

Cyber insurance (a.k.a. Cyber Liability Insurance or Cyber Risk Insurance) is a broad term for the types of policies that provide coverage for intangible exposures to IT events such as system disruption, business interruption, hacking, malicious and accidental data breach, data theft, lost or corrupted data, data erasure/restoration, privacy / identify theft, cyber-security attacks, or Intellectual Property (IP) infringement. According to Business Insurance magazine, insurance coverage for cloud consumers generally falls under the category of Cyber Risk policies [3]

Despite high-profile 2011 cyber-attacks at Sony, Google, Epsilon, RSA and others, only a third of companies surveyed by the insurance intelligence firm Advisen indicate they have purchased a cyber-insurance policy [4].

Cyber insurance, around since the mid-1990’s, needs to evolve and update its policies to address the new generation of cyber threats and new cloud computing design patterns. Although not meant to be an all-inclusive list, some key features of a strong cyber liability policy should include coverage for crisis management, cyber extortion, data loss and system storage, notification, recovery and regulatory action.

The explosive use of networked computer systems, emails, social media, mobile technology and now cloud computing have caused many more insurers to expand the offerings of cyber liability policies. Cloud computing, where organizations have to deal with third party vendors for services, now raises a host of liability and insurance issues.

Despite some well-publicized Service Provider disruptions, cloud-based services overall have been remarkably reliable – but cloud users must not get complacent and put all their trust in them. It is essential that users perform a deep analysis on the impact and probability of their risks. The rewards of cloud computing can be significant if the associated risks are well-understood and managed.

[1]http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%20Global%20CODB.pdf

[2]http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10339/ps10354/targeted_attacks.pdf

[3]http://www.businessinsurance.com/article/20120115/NEWS07/301159996

[4]http://bits.blogs.nytimes.com/2011/12/23/insurance-against-cyber-attacks-expected-to-boom

More information

Post a comment

Sign in to comment.

Not yet registered? Join the debate