View this article online: https://www.insurancejournal.com/news/national/2013/04/24/289596.htm

The Risks of Insuring the Cloud

Hollywood would have us believe that some smart, awkward computer guy in his 30s living in his mother’s basement is to blame. Surrounded by a dozen computer screens with an IQ of 150, this cyber character enjoys targeting large companies or just simply enjoys the challenge of breaking into secure networks.

The reality is actually a bit scarier. China for instance has recently been linked to stealing information from hundreds of organizations around the world including hacking into American industry giants like DuPont and General Motors. Apple was hacked by the same Chinese hacker’s who targeted Facebook.

A fantastic example of such espionage is the famous “Stuxnet” virus. In an article by the Economist, the virus was described as a cyber missile aimed at Iran. The virus was introduced as a “worm” that allowed an infected memory stick while inserted into a network to install a program to create a backdoor control to the server.

In the case of the “Stuxnet” virus it is assumed to have been developed and introduced to the uranium-enrichment plant at Natanz, Iran, which successfully shut down the centrifuges and has significantly delayed the Iranian nuclear program for several years.

Cyber War

Welcome to the world of cyber security. The U.S. Department of Defense has long known that the next big and very real threat is a cyber one. It is so relevant that the current administration directed the Secretary of Defense and the Commander of U.S. Strategic Command to establish USCYBERCOM.

Currently, the NSA is responsible for securing the government’s classified networks, while DHS now has that responsibility for civilian .gov domains. With the addition of Cyber Command, the authority will be split three ways.

Threats Outpacing Technology

Americans have grown increasingly dependent on technology in their daily lives, but threats have been outpacing our technology. Unfortunately, many have developed a level of hubris and false understanding of the degree of vulnerability.

Most Americans walk around and use smart phones smartly, access wireless networks, use applications to access databases remotely, and control the thermostat at home while on vacation. These are wonderful applications of the technological infrastructure that has developed in a very robust way and allowed people to feel more connected and efficient than ever.

However, there is an uncomfortable gap between those that utilize these technologies (99 percent) and the folks that have a true understanding of what the code or the network infrastructure looks like.

The Cloud: Strengths and Weaknesses

Businesses do not fully understand the workings of the technology they use day in and day out. However, ignorance is bliss and businesses are putting more and more information on the Internet instead of in boxes — it’s leaner and more efficient. Therefore, the need to put protections in place so information doesn’t get into the wrong hands is even greater.

Businesses are reallocating IT operational costs away from hardware and software and human capital to a service platform — the cloud. However, many do not have contracts that require third parties to cover all the costs associated with a data breach.

Software and databases are being managed by a third party on a per user subscription fee. One obvious drawback is that the users’ data are stored on the cloud provider’s servers. As a result, a business inherently relinquishes some of the security measures that may have been in place previously and may be vulnerable to unauthorized access or data breaches.

At the foundation of cloud computing is a shared infrastructure. When a company backs up data off-site, the data can be in multiple locations at one time. Increasing the number of locations where data is being backed up increases the likelihood that it will survive. However, simultaneously the likelihood of a potential breach is also increasing. Additionally, shared infrastructure can increase the likelihood and/or introduction of malware or other computer viruses.

A good robust insurance policy will help with this risk by setting up systems to protect businesses from the various vulnerabilities that hackers use to steal information.

Data Security

The following questions are important for agents to ask their insureds when it comes to Internet security:

  1. If a company is using cloud-based services to perform work and a data breach occurs, who is to blame?
  2. How can a company transfer some of the risk the company is being exposed to?
  3. What about connectivity or uptime? After all, a company cannot guarantee that it will have 100 percent uptime or data protection in the cloud.
  4. If the server goes down, do the business’ operations cease?
  5. In the event of a data breach or simply being unable to access its cloud-based services, will the company be able to restore operations?
  6. Can the company maintain its reputation with its clients?
  7. How will the company stay solvent?

How to Protect Your Clients

Despite the cloud’s long list of drawbacks, it is still the direction that most in business are headed for their data storage needs. The insurance industry learned long ago to transfer risk efficiently for things like property loss, health insurance and liability.

However, “intangible property” like data is often excluded by many insurance policies. Insurers will replace a computer but what about the information that rests on hard drive and servers?

Agents should look at protecting their insured’s data, just like an agent helps to properly insure a customer’s building from a fire or flood.

For instance a medical company or a bank releases medical or financial information to a data center to store it, but what happens when a hacker causes a data breach? It has happened with Sony and Apple. Making sure that your clients have a system in place to deal with this type of crisis is critical.

A client’s cyber security insurance policy should do several things:

  1. It should cover notifying clients that their data has been lost;
  2. Give the company the ability to hire a PR company to respond to a crisis by getting the message out to clients about the company’s response to prevent future breaches;
  3. Provide the ability to set up a data center;
  4. Allow the business to react to cyber extortion immediately to avoid the spread of sensitive information; and
  5. Finally, pay monies to clients impacted by the breach.

The cloud is here to stay. Your agency’s commercial clients must be prepared to embrace its strengths and weaknesses.

Overstake is a producer of commercial lines for Van Gilder Insurance Corp. in Denver specializing in cyber liability and the cloud. Phone: 303-831-5117. Email: coverstake@vgic.com. Website: www.vgic.com.