There’s a lot of misconceptions around the cloud and liability. Organizations often assume risk is transferred when data moves to a third party.
It could be a naïve and costly assumption, says expert Lauri Floresca. While we’re more reliant than ever on cloud computing to store and process data, very few companies actually have cyber liability insurance.
It’s a mistake that could cost more than money, says cyber liability expert and senior vice president at California-based Woodruff Sawyer, Lauri Floresca. She’s worked alongside businesses of all sizes, including NASDAQ 100 and Fortune 500 companies, putting in place cyber liability and directors and officers (D&O) insurance programs, a liability that can often be overlooked.
“More and more companies use services like AWS, Microsoft Azure, or Google to store and process data, and many have migrated their entire network to a cloud provider. Layered on top of that are all the Software as a Service (SaaS) companies who offer services to companies on a hosted basis. A single company can have dozens of cloud relationships in their corporate network, which can make it less clear who is responsible when something fails,” she says.
Who is Responsible for Cloud Security?
Determining liability is a challenge, as responsibility, she adds, is shared between the cloud vendor and the customer.
The fallout from a cyber breach often reaches beyond the compromised data to include financial and customer confidence loss, reputational damage, and even legal action against the company directors, so it makes sense for businesses to make liability insurance a priority.
Floresca says that often companies do improve their security by shifting to the cloud as large vendors have the beefed-up resources to invest and make security a priority in ways smaller businesses can’t, and they “have visibility to a large number of attack vectors, allowing them to identify threats and respond more quickly.”
From a customer perspective, she says the good news is that most insurers recognize and understand what constitutes the cloud.
“Most cyber insurance policies define a ‘computer system’ to include third-party networks that you have contracted with to support your company. So if a breach happens, the policy will respond regardless of where the data was stored when the breach occurred. But there are still questions about whose responsibility it is,” she says.
“There are a lot of misconceptions out there around the cloud and liability. Many companies assume that they have transferred their risk when their data is in third-party hands. The reality is that in most cases, companies have outsourced the service but retained the risk. There is very little protection in terms of liability with cloud providers.”
She explains it’s essential to understand that when a cyber breach occurs with cloud computing, legally, the obligation rests with the company hosting the data, known as the data owner. However, one notable exception is within the healthcare industry as companies supporting this industry are considered ‘business associates’ under the Health Insurance Portability and Accountability Act (HIPAA) and must meet the same obligations for protecting data as the business with the original patient relationship.
“But even in that case, the liability doesn’t transfer––it just expands,” she adds.
“Cloud vendors have generally done an excellent job of limiting their liability, sometimes to $0 or an amount equal to one year of fees paid to them. And since the damages are generally limited to direct costs, they would not cover all aspects of a breach, like the cost of responding to regulators or dealing with customer lawsuits.”
Finding the Right Cyber Insurance Policy
Seeking out a well-crafted cyber insurance policy will mean you’re covered for third-party liability costs and expenses related to dealing with the breach. But Lauri warns that sometimes that might not be enough.
“Even if you carry your own cyber insurance, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient. This is something you can and should negotiate with your cloud provider before becoming a customer, and it has become a pretty standard ask.”
More recently, insurers are expanding to also include business interruption coverage in case of a cloud vendor outage. Lauri suggests that if this is a real exposure for you, to look specifically for ‘Contingent Business Interruption’ under a cyber policy that you’re considering.
A Cloud Vendor’s Point of View
From the cloud vendor’s perspective, a data breach claim is really an errors and omissions (E&O) claim, and Lauri says they’ve no direct liability to the individuals whose data’s been breached. However, a claim could be made from a customer for failing to perform a service.
“For this reason,” she adds, “E&O and cyber coverage is generally bundled together in a single policy for technology companies. For example, a customer may say it cost them millions of dollars to deal with notifying their customers about the data breach, or that they lost business as a result of the vendor’s failure.
“Even though a cloud vendor’s contract limits liability by default, it’s not clear how successful those contracts would hold up when it’s time to pay a claim. If the cloud vendor is truly negligent, the court may decide that liability caps on contracts don’t apply,” she adds.
While cyber threats continue to grow and become more complex, it’s an ongoing challenge for insurers to adapt and stay on top of risk management decisions for cloud customers.
“The bottom line,” says Floresca, “is that when storing data in the cloud, your best bet is to ensure the risks are managed just as tightly as if you were storing it on your own systems.”