Sayonara North America: Insurance guy got your back when Office 365 doesn't?
Read the small print
Move to the cloud, they said, everything will be better, they said. Security, reliability, scale. We take the work and the worry off your hands. Except nothing is that simple or straight forward – and that includes cloud.
When your IT ran the tin and it crashed, they weren’t running your entire business. If a server flamed out, you’d lose email or the CRM for a few hours. Tops.
Today, though, cloud isn’t just running the email or the CRM – it’s running the phones, Office and HR, too. Consolidation means if your cloud provider’s servers crash, so crashes your business.
Microsoft, Salesforce, Symantec, Google and Amazon have at different times inflicted crippling outages on customers, taking down their entire businesses for hours and hours – up to 24 hours at times – in Canada and the US, Europe and the rest of the world in some cases. Microsoft and Salesforce, for all their grand promises, are repeat offenders. But Apple made a relatively rare appearance in June: disappearing for nearly eight hours and taking down App Store, iCloud, Apple TV, photos and iMovies.
And sure, they all offer X-nines availability with compensation, but in reality that compensation is not just “too little” – it doesn’t begin to cover the inconvenience and loss of productivity and business.
Wouldn’t it be nice if service level agreements extended to cover the full impact on a customer’s business? That’s unlikely to happen in the real world.
But cloud providers are unlikely to take on business impact liability based on the value of a customer’s data, because it’s a difficult thing to measure and could potentially cost them dearly.
“We have to push back and say we can only take responsibility for what’s in our control and we can only take on a certain amount of risk at this price point,” Ross Woodham, director of legal affairs and privacy officer at cloud and hosting firm Cogeco Peer 1, told The Reg. That leaves insurance as an option, but it’s a complex one.
Cloud providers can manage some risk using technical protections, although contract costs may go up as they do so. Customers can use technical measures to manage some of the risk at their end, too. The gap in the middle is where insurers might come in, Woodham argued, but the customer must foot that bill.
“What the customer is doing and what the risks are associated with that customer’s business is theirs to decide,” he points out.
Insurance companies have provided cyber-risk policies to corporate customers for years, explains Ty Sagalow, CEO of cyber-risk insurance and consulting firm Innovation Insurance Group. A veteran of the cyber-risk insurance business, Sagalow reckons he pretty much invented this category of coverage in 2000, when he was working at AIG e-Business Risk Solutions.
“Back then in the year 2000, it was only AIG and a couple of Lloyds syndicates,” he said. “Today, fifteen years later, there are over 80 companies that provide cyber-insurance in a multi-billion dollar industry.”
The market may be well-populated, but the bulk of cyber-risk insurance products don’t target companies depending on cloud service providers, explain experts.
“Trying to insure for a cloud service provider’s system outage is tricky, because the insurance really should be protecting the insured, not the third party that they rely on,” said Michelle Lopilato, director of cyber and technology solutions at insurance broker Hub International.
Traditional cyber-risk insurance falls under business interruption. This is first-party coverage for any organization that loses business income and incurs expenses thanks to some cyber-disaster. Not any old disaster, though: It generally only covers a disruption to a service you operate yourself, and it typically focuses on intrusions and data breaches.
In short, if you want to insure yourself against having your customer details stolen from your own servers and splattered all over Pastebin, a lot of these companies will help you.
Companies wanting to insure against a third-party cloud service going AWOL will need to look at dependent or contingent business interruption, said Bob Parisi, managing director at insurance broker and risk management firm Marsh’s financial and professional liability practice.
“That’s where you’re fine, but your cloud vendor isn’t there when you need them and that means you’re not able to function,” he said.
These policies are typically not off-the-shelf, said Parisi. “It’s often a special request, where you have to work with the carrier to get the appropriate information from the client.”
Contingent business interruption policies may help companies to insure against data loss at the provider level, too, according to Lopilato.
“The likelihood of them having some kind of cyber attack at the [cloud service provider] level is likely because that’s where all the data is,” she says. Insuring yourself against a cloud provider disappearing your virtual machines thanks to a system outage leaves you with fewer options.
There can be challenges in negotiating system outage contracts, because they’re difficult for underwriters to grapple with. Valuing the loss from a potential data breach may be hard enough, but doing the same thing for an outage is harder still, said Parisi. There are more things to go wrong. Then, customers are asking insurance firms to extend that even further, insuring not just the customer’s systems, but some other company’s. If they get it wrong, the financial blowback could be painful.
“Not all carriers will offer the system outages or the system failures or administrative failures,” said Lopilato. “The ones that do, where we see that the client is vulnerable to that kind of loss, we want to get them as much coverage as possible.”
Those conversations get difficult, and often focus on how well the customer is protecting themself with their own disaster recovery and business continuity plans. Insurance carriers may ask you to specify which vendors you’re using so that they can evaluate them individually, warned Parisi, adding that this becomes a secondary underwriting exercise. The alternative is to get blanket coverage for every technology service provider you deal with, but you’d better have a mature management process, warned Parisi.
“If they’re comfortable with the fact that you’re truly managing your interaction with these vendors in terms of who you let in, redundancies and all this kind of stuff, then you might be able to get it as a blanket for all the vendors,” he said.
So, be prepared for lots of paperwork. Most of Parisi’s clients wanting this kind of coverage tend to be larger and more sophisticated. “If you’re a startup, you typically don’t have enough clout to get anything other than off-the-shelf products,” warned Sagalow.
A startup with a high-risk third-party cyber insurance requirement that requires negotiation and customisation may not be considered worth an insurance carrier’s time. In some cases, startups will hire an insurance consultant to get insurance carriers to the table, Sagalow added. The problem is that many of these companies may not be sophisticated enough to have those conversations.
Where does that leave companies without that negotiating power that rely on cloud service providers for their operation? If a cloud outage would severely impede your business, then it might be best to adopt some technical measures such as multi-cloud failover or a Netflix-like ability to bend, rather than break, when a storm takes out part of your cloud provider’s infrastructure.
Alternatively, you could always just try to sue them if they send you out of business, and hope that they have their own liability insurance to cover it.
Feeling lucky? ®
Sponsored: Becoming a Pragmatic Security Leader