The highest profile cyber incidents – such as major data breaches at Sony, Zappos, Global Payments, and Nationwide Insurance, and the disruption to Netflix’s service on Christmas Eve due to problems with Amazon’s cloud service – may dominate the news, but the bigger issue is just how pervasive such problems are.
Every company that uses computing and networking technologies faces a variety of potential cyber liabilities, including:
- repair, restoration, or replacement of data or services;
- notification of affected customers of a data breach;
- provision of credit monitoring, call centers, and legal services to customers whose personal or confidential information has been compromised;
- forensic investigation and remediation of a breach or other incident;
- public relations services and crisis management to protect or repair business reputation;
- claims by third parties for damages they suffered from the incident;
- investigations by regulatory agencies;
- penalties imposed by statutes; and
- lost income arising from a cyber incident.
At the same time that companies are becoming more exposed to these risks, through the use of cloud computing and other technology services, companies are learning that these potentially large cyber liabilities are not covered under their existing policies or that coverage is uncertain or disputed. Thus, the increasing use of cloud computing services presents both opportunities and challenges to insurers.
- As cloud service providers strictly limit their liability to their users, and as such users can no longer rely on a perceived ability to self-insure cyber risks, cloud computing should increase the demand for insurance.
- In addition to the user’s purchase of insurance, providers could potentially negotiate insurance that would provide designated benefits to their customers or allow them to increase their liability limits.
- An insurer may be able to more quickly or effectively assess an independent provider’s systems, as compared to the user’s systems, because providers are likely to be technologically savvy, and they are repeat players and thus may be familiar to an insurance company.
- Cyber liability coverage can reduce the risk of disputes as to whether cyber liabilities would be covered under other policies.
- The insurance transaction can be a complicated one. An insurer needs to assess both the cloud-user’s and cloud-provider’s systems, as well as the nature and value of the data and business to be insured. In addition, cyber liability policies are not uniform, and there is uncertainty as to how certain coverage and exclusion provisions could potentially be applied to various kinds of cyber incidents.
- Cloud computing increases the number of pathways to data as well as the ways in which networks may be disrupted.
- Cloud services shared by multiple users present an accumulation risk, in that a single cyber incident can have widespread effects across multiple companies.
- The increasing use of multiple cloud providers may further complicate the assessment of risk. Redundancies can reduce the risk of disruption but increase the risk of data breaches. Segregating services or data could mitigate the risk or damages associated with a particular cyber incident, but could entail more incidents.
- As cloud service providers and vendors typically limit their liability to low amounts, their incentives to minimize cyber incidents may not be optimal from an insurer’s perspective. And it can be difficult to tell which providers or vendors are more vulnerable than others.
As cyber reporting requirements go into effect and as litigations over cyber liability proceed, the stakes riding on these issues continue to increase. By now, all companies should be incorporating cyber liability and cloud computing issues into their business, insurance, and litigation plans.
On February 11, 2013, I will be moderating a panel on cloud computing, with panelists from Microsoft, Google, and Hewlett-Packard, at the NAMWOLF Regional Meeting in