A recent Business Insurance article addressed the applicability of cyber risk insurance to cloud computing. The article concludes that existing cybersecurity insurance policies are generally written in language broad enough to include cloud services under the category of outsourcing.
Cybersecurity insurance is an important thing to consider, because cloud providers accept little to no liability. Of course, you must always remember the point of insurance. Just as with the physical world—fire, auto, etc.—insurance in no way prevents or even reduces the incidence of misfortune. Catastrophic data loss can’t be undone. Cybersecurity insurance would just provide a financial payment in an attempt to offset the effect of the loss.
One attorney interviewed for the article says that he has seen very few, if any, policies explicitly mentioning cloud security. That makes sense, as compliance regulations also don’t directly address it yet either. But that doesn’t mean that the policies do not cover cloud-based operations.
He goes on to say that policies are typically written in such a way that cloud computing is included. It comes down to the specific wording of the policy. “Close attention should be paid to when the term ‘computer system’ or ‘computer network’ is defined”, he says.
If the topic comes up when you are negotiating a new insurance policy, look out. You may be asked about the extent to which you audit the cloud provider’s security. The problem is that cloud providers are quite secretive about their infrastructure and processes. The insurer might be demanding some information that you can’t get.
That leads to what might be a dangerous question: Might they not then require the same thing for any other non-cloud remote hosting or other outsourcing?
If you find this interesting, you might like the discussion of the division of work and the associated difference in visibility in Learning Tree’s cloud security course. Check it out!