PHILADELPHIA—If insureds have yet to consider how to handle risks related to the cloud, chances are they haven’t managed other risks, according to one panelist discussing the topic here at the NetDiligence Cyber Risk & Privacy Liability Forum.
Ann DeVries, managing director with program administrator Safehold Special Risk, said cloud-related questions are sometimes asked in insurance applications. Answers could have an impact on an insurer’s perception of a potential policyholder.
She said the insurance industry is “just starting to learn what questions to ask, and what to do with that information.” DeVries called this aspect of insuring cyber risk another within the overall evolution of understanding. “We’re learning as we go,” she said.
Insurers are trying to track clients’ cloud providers, DeVries reported, but “tracking aggregation is a very difficult thing to do.”
“Clouds outsource to clouds,” she said. “Data is moving all of the time.”
The fear, explained Florence Levy, head of the US Technology & Privacy Practice at Lockton, is that there are only a finite number of cloud providers.
“If 70 percent [of insureds] use [one provider], that can cause a catastrophic loss,” said Levy, who added there is “not enough insurance out there for a cat event.”
She said she sees underwriting cloud risk turning into a D&O-like underwriting exercise. That is to say, the process will become more intimate in order to determine companies’ cloud-risk mitigation plans to and see if companies are practicing the plans.
Insurance providers should help insureds control the risk—assisting in evaluating providers and vetting vendors—rather than limit coverage, added DeVries.
DeVries said outsourcing cloud services can increase and decrease exposure. For instance, smaller firms need to outsource because it is cost effective. The decision can also decrease overall exposure since the cloud provider could have better cybersecurity. However, outsourcing cloud services also means a firm loses control over the data.
“You still can’t outsource compliance and legal obligations,” Levy added. She said companies think outsourcing shifts liability to the vendor, but it does not.
Ira Scharf, chief strategy officer at BitSight, and Vinny Sakore, of cloud security services at ICSA Labs, offered some reassurance. They said cloud providers exist so catastrophic losses don’t happen. Sakore said redundancy with clouds make the chances of a catastrophic loss remote. “It’s not something I lose sleep over at night,” he said.
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
