By mid-2013 – meaning now — cloud computing will be in use by about 80 percent of about 600 companies with at least 500 employees each, according to a 2012 TNS Infratest survey. The trend is undeniable: Data management and storage are moving offsite to cloud computing vendors on a vast scale.
Touting cloud computing as a way to eliminate the costs of buying and maintaining on-site information-technology assets, vendors offer it in the form of software as a service (SAAS), a distribution model in which software applications are delivered to clients over a web-based network.
Offered in comprehensive, fully-integrated form, SAAS can serve the needs of entire companies through huge, web-based platforms. As cloud computing rapidly becomes the delivery channel for software developers of all shapes and sizes to get their products to market, offering applications in a cloud is now the rule, not the exception.
A relatively small number of vendors have the service capacity to offer SaaS to big companies that want company-wide cloud computing. The barriers to entry are formidable; only the best-capitalized vendors need apply. Although market-share statistics are hard to come by, the list of companies large enough to offer cloud computing on this scale is short: Microsoft, Amazon, Google, Salesforce, Rackspace and not many others.
The concentration of data and virtual computing in the hands of relatively few vendors raises an important risk for their clients. If the Internet-based systems of any one vendor are hacked, the result could be security breaches and invasions of privacy across entire industries in which their clients do business, creating liabilities on an almost unthinkable scale.
Can this small cadre of cloud-computing vendors adequately respond to the needs of their clients to quickly fix such a breach, restore services and, most importantly, cut off the damage to these clients’ own customers?
Can the balance sheet of any one of these vendors protect its clients from such losses and liabilities?
Could a company like Microsoft eliminate the risk of a virus being planted by a hacker in its Azure cloud computing product?
If it can’t, will its balance sheet – as vast as it is – be enough to protect its clients against wholesale desertion by their customers?
Don’t think such things can’t happen. If hackers can penetrate the Department of Defense, the risk that they will penetrate Microsoft or Google cannot be ruled out. Compromise of just one of these vendors – even one with a modest market share – conceivably could shut down, at least temporarily, a sizable slice of the U.S. economy.
With such potential losses at stake, corporations are bound to think about hedging their exposures via cyber insurance. Yet even as insurance companies rush to meet the demand for cyber loss and liability insurance products, they worry about aggregation, the excessive exposure of a single insurer to a single catastrophic event, as Erich Bublitz recently pointed out in Carrier Management.
If the catastrophic event is a breakdown in just one of the handful of large cloud-computing vendors serving Corporate America, it is likely that no single cyber insurance tower could fully protect all of its clients.
A vendor would have to buy staggering amounts of insurance limits to cover all data security and privacy liability exposure to its customers. Cyber insurers and reinsurers worry about aggregation because a single catastrophic cyber breach at a single cloud-computing vendor could wipe out an entire tower (a layer of coverage above a company’s primary insurance policy) of cyber coverage, much like a superstorm can wipe out a whole region in its wake.
The aftermath of such a crisis would not be pretty. Some of the biggest companies in the nation might be pitted against each other in competition for the vendor’s meager (compared to the scope of the loss) insurance proceeds — and, ultimately, its balance sheet.
Shouldering the Burden Alone
To adequately manage risk, the clients of these vendors must recognize that as a practical matter, there probably isn’t enough cyber loss and liability insurance capacity available to cloud-computing service providers to fully protect their clients in such a scenario.
CFOs and risk managers can continue to request indemnity agreements from their vendors to gain faster access to their assets in the event of a catastrophic liability, but with a giant like Microsoft, this often isn’t an option. Are there solutions available to one of the 80 percent of companies that has migrated to cloud computing but wishes to guard its business and its assets against a 100-year-flood cyber loss or liability event?
The short answer is this: The cloud-computing client must shoulder the burden, largely alone, of protecting itself from liability to its own customers resulting from a vendor’s security breach or confidential data disclosure.
The company may or may not be able to pass this expense on to the vendor in a service agreement. Good cyber insurance is not inexpensive. Buying cut-rate coverage from an insurance company inexperienced in this space, however, can lead to nasty surprises when the insurer ends up learning how to adjust a catastrophic cyber claim on the fly.
To protect itself effectively against this kind of claim, companies need to create a coordinated effort between the risk and legal departments. Consider these recommendations:
Choose a cloud-computing vendor carefully. The willingness and ability of the vendor to stand behind its products and services should be just as important as the functionality of those products and services.
Engage a broker that has special expertise in cyber insurance. Ask to meet the broker’s cyber risk team, and look for former underwriters of cyber loss and liability programs coming out of insurance companies known for competency in this field.
Evaluate the cyber catastrophe exposures exceeding a vendor’s and the company’s own insurance programs. That’s a vital part of enterprise risk management.
David Wood (email@example.com) is co-managing shareholder of the Ventura, Calif. office of the Anderson Kill law firm. He devotes his practice to liability and errors and omissions coverage, professional liability insurance, crime coverage, primary-excess disputes and the rights of additional insureds.