Cyber insurance mitigates the risk of data breaches in cloud computing

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-mitigates-the-risk-of-data-breaches-in-cloud-computing?

The manager of a fine hotel would never allow an electrician or
plumber to work without being insured; it's standard fare on service
contracts in the physical world. Not so in cloud computing, where
provider coverage in the form of cyber insurance is far from a given.
This undoubtedly will change as businesses push providers to share the
risks of a data breach or unexpected downtime, experts said.

Such large cloud computing providers as Salesforce.com Inc. do carry
cyber insurance to mitigate the risk of data breaches or unexpected
downtime, but "smaller providers are not carrying insurance and have
no plan to [do so] until the larger customers push back and say,
'You're in our risk profile now,'" said Drew Bartkiewicz, vice
president of technology and new media markets at The Hartford
Financial Services Group, a cyber insurance company based in New York.

For the cloud computing model to work, cloud customers, as well as
cloud providers, need to share the risk, according to Drue Reeves,
director of research for the Burton Group in Midvale, Utah. If a
provider were wholly responsible for the data of hundreds or thousands
of tenants, it simply wouldn't be able to buy enough insurance to
cover the liability. To protect themselves in this risky situation,
cyber insurers generally cap their policies at $10 million or $15
million, forcing providers and large customers to keep shopping,
experts said.

"It's basically the rule, not the exception, that a large technology
provider, which is essentially what cloud companies are, will buy a
primary policy and add layers to create a massive insurance policy,"
said Robert Parisi, senior vice president at Marsh Inc., a cyber
insurance broker and risk adviser in New York, who participated in a
panel of lawyers and insurance brokers at the Burton Group's recent
Catalyst conference in San Diego.

Salesforce.com, for example, carries cyber insurance policies into the
"tens of millions," according to John Moss, deputy chief counsel and
head of commercial practices at the San Francisco-based company. Yet
that amount pales in comparison to the "potential for catastrophic
loss in the billions," he said. Unlike on-premises applications, where
the data resides at the customer's facility, Salesforce.com sits on
data provided by 70,000 customers. "There's a big liability difference
and a big potential exposure difference, both for the vendor and the
customer."

Financing cloud risk

There are lots of reasons why some cloud providers don't buy
insurance. Among them: They think they won't get hit, they spend more
on security technology than the next cloud provider -- and nobody says
they have to. Because most of the cases involving data breaches have
been settled out of court, the legal principles that guide such
measures have yet to be formed, experts said.

Thus, both the provider and customer need to protect themselves
through risk transfer, Reeves said, suggesting insurance might not be
the only way to do it: "Maybe they both have a risk policy, or both
have risk mitigation along with an exit strategy, or they spread the
applications across multiple cloud providers." Actuarial-based means
are a poor way to transfer risk, he said. If the industry is truly
going toward a utility model, "It's better to do it with derivatives
and futures, but those markets don't exist yet."

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php