Insurance Risks of Transitioning to the Cloud

As computing services have moved from on-site server rooms to co-host facilities and now to the cloud, business managers and IT professionals evaluate the risks and benefits of IT outsourcing at each step in the process. Generally, they ask themselves two questions:

  1. Will the new structure create more physical security and stability for the system? 
  2.  Is the service provider better equipped to provide virtual security and less downtime than the business can provide internally?

Many businesses have concluded that IT services are not a core competency and have made the decision to outsource some or all of their computing services. However, in this transition, they often fail to consider many of the insurance issues that need to be addressed in the process. Consider this example:

An engineering firm made their transition into the cloud. This move allowed their various teams across the world to access essential software, sensitive designs and confidential correspondences in a secure and reliable structure. However, their cloud service provider suffered a significant outage due to a large fire. The ensuing interruption across the enterprise resulted in hundreds of thousands of dollars of downtime, contractual penalties, and lost opportunities.  When the company turned to their property policy to collect the business income loss, they learned they had neglected to schedule the cloud provider onto their property policy. As a result, they were only able to recover a fraction of the loss under a small “contingent business income” limit which was built into the policy.  The service provider had successfully excluded all consequential damages in their service agreement and the engineering firm was uncovered for the majority of the loss.

The Dilemma of Cloud Computing and Business Interruption

Coverage for the above dilemma, in a co-hosting environment, can be secured by scheduling the co-hosting location onto the firm’s property policy and including business income coverage. However, what happens in a Cloud environment?  Many Cloud providers will refuse to divulge where data is stored for security reasons. They may also require the flexibility to shift computing capacity, from facility to facility, at any given point in time. These strict privacy policies and the ability of the provider to shift computing capacity, help ensure the security and reliability of their service. However, insuring “down time” risk is more complicated.

Understandably, insurance companies wish to underwrite the properties they insure. They want to know about the construction and protection at each site in order to price the risk.  Most insurers will provide a business income, sub-limit for unscheduled “contingent” properties. However, most companies are hesitant to provide more than a couple hundred thousand dollars for these unscheduled locations. If your revenues or operations are contingent upon computing services,  these smaller sub-limits may not be adequate.

Closing Insurance Gaps Caused by Cloud Interruptions

First and foremost, if you can identify a specific location where your information will be housed,  schedule that location onto your property policy. If you are not able to specifically identify the location of where your data is housed, then consult with your broker regarding the risk, and see what steps can be taken to mitigate the risk. For a reputable Cloud provider, some carriers may be willing to increase their contingent limits to $1M or higher. If you are able to negotiate higher limits, understand what perils are or are not covered.

For example:

  • Do earthquakes and floods extend to the “contingent” business income coverage?
  • Does the coverage extend anywhere in the world, or just the United States and Canada?
  • Can you get coverage for loss resulting from a denial of service attack against the provider on the property or a cyber policy?

These are just some of the issues that you may wish to discuss with your broker. If you would like further information on the subject, please contact one of the brokers in our Technology Practice Group.

Share this article:

Return to Blog index