Ideally, most businesses would purchase cyber insurance coverage. This coverage can protect your company from the costs associated with data breaches, ransomware attacks, and other potential avenues of liability resulting from your cyber systems. However, as more and more companies move their operations to the cloud, significant questions arise as to how this impacts a company’s risks, exposures, and insurance.
Cyber insurance policies typically cover a range of damages that can be caused by a system breach. These expenses range from notification and defense costs to business interruption and data loss coverage, as well as a host of other types of damages. Because cyber insurance is not yet standardized, though, the types of damages that are covered can vary significantly from policy to policy- and from carrier to carrier.
More importantly, the lack of standardization also means that the terms defining the cause of loss can vary as well. Cyber insurance policies will only cover losses that are caused by specifically covered causes of loss that are outlined in the policy. Policies will often cover negligent acts of an employee in maintaining a system or entering data, as well as attacks and crimes committed on your computer system. However, the extent to which these policies will provide coverage when the fault lies with an outsourced vendor can vary.
Outsourced vendor coverage is still uncertain considering the cloud. If for business is putting information or critical systems in the cloud, it means that you are putting that data in the hands of third-party vendors.
Your cyber liability policy probably covers your business for data theft including personal information belonging to your customers while it is in the cloud.
However, There is Also Uncertainty
Your coverage may not (and probably does not) cover you for business interruption losses that would result if a breach of the cloud system causes you to lose access to the vital information you need to do business. It also probably will not cover you for the loss or destruction of data that stored in the cloud.
Businesses need to know what indemnities the contract with their cloud provider may contain. Typically, cloud providers provide form contracts that disclaim all damages or limit them to one year’s worth of fees. These limitations are likely to be insufficient in the event of a loss.
Additionally, cyber policies will not cover damages that are undertaken by your company via contract- unless your company would have had responsibility for those losses in the absence of a contract. In other words, businesses that suffer additional losses as a result of their contract with a cloud provider, the company will have to eat those losses.
Ultimately, very little guidance exists at this point in how cyber insurance will evolve to meet the increase in the use of the cloud by businesses. Many carriers have expanded certain definitions in their policies to include language that would cover the cloud, but few companies have examined what gaps in their coverage they may create by moving their infrastructure to the cloud. Additionally, no claims dealing with these specific issues have been addressed yet in a public forum.
Finally, the cloud presents a unique challenge to insurance carriers, as the potential aggregation of losses caused the breach or damage to a cloud operator. Imagine an insurer having to cover a million losses under a million policies due to a single breach of one system. Insurers are taking on this challenge, but it might provide complications for companies seeking cyber insurance moving forward.