- About PS&F
- Industry Focus
- Client Tools
- Education & Events
January 25, 2011
Early in 2010, I was introduced to Michael Abrahamsson. Michael is the CEO of Ilait, a market leading cloud computing and hosting wholesaler based in Sweden and a Board Member of Eurocloud. Iliat was looking into expansion and deployment of their services into the US and Michael had been referred to me for assistance with placing insurance. Working with Michael and uncovering some of their issues allowed me an opportunity to dive deeply into risk associated with cloud computing and the challenges this exposure could bring.
Insuring cloud computing exposures can be difficult for several reasons, beginning with underwriters who may not be familiar with or understand the nuances of this technological development. Nevertheless, both providers and users of cloud computing are exposed to risks that require careful consideration and appropriate risk management.
Cloud computing providers’ services typically consist of Software as a Service (SaaS), utility computing, web services, platform as service, managed service providers, service commerce platforms, and internet integration. In a opens in a new window2010 report from the Cloud Security Alliance the most significant threats to cloud computing providers were:
These are many of the same exposures to risk shared by most technology organizations, but the nebulous nature of cloud computing makes loss mitigation a challenge. Exposure to loss comes in the form of business interruption/service interruption, data privacy breach/loss, and other financial loss due to the performance of service/product. Insuring a provider of cloud computing services can be extremely difficult. Communicating how an organization effectively manages their risks is what enables Parker Smith & Feek to offer our clients the most competitive premiums available.
In addition to providers, cloud computing users also have substantial exposures to loss. First, it is critical to understand that outsourcing cloud computing services is not the same as outsourcing or transferring risk. Secondly, service contracts may include a hold harmless provision within the indemnity agreement that strongly favors the service provider. Furthermore, it may be difficult to require adequate professional liability/E&O insurance limits from the provider, given the significant number of parties that may be affected by a provider loss. Finally, a user organization will be held responsible for State and Federal Laws related to data privacy and compliance to HIPAA, SOX, PCI and FISMA ( opens in a new windowfor more information on data privacy you can read my article here).
Given the multiple and significant exposures to loss, it is important that users understand and address those exposures through risk management solutions that may include contractual transfer of risk and/or insurance coverage. An indemnity agreement written or approved by legal counsel is the first step to a strong risk management strategy. If the user is responsible for PII (Personal Identifiable Information), a comprehensive data privacy insurance policy should be seriously considered. Of course, is also important to select a cloud computing service provider with strong security controls in place. Risk management, including the implementation of strong contractual risk transfer, will help facilitate insurance placement and lower insurance costs for insuring cloud exposures.
Cloud computing is here to stay. The scalability, cost, and efficiency factors will inevitably lead to greater use. Unfortunately, due to the significant amount of data being computed/ stored within the cloud, it will always be a target of fraud and abuse. Taking the proper steps to mitigate potential loss – transferring risk contractually and/or through insurance coverage – will not only reduce risk to an organization’s balance sheet. It will also make it much safer to harness the power of the cloud.