Every company is at cyber risk. Reports of high-profile cyber attacks make headlines almost every day and confirm the reality: cyber attacks are on the rise with unprecedented frequency, sophistication and scale. And it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.
The problem is exacerbated by the trend in outsourcing of data handling, processing and/or storage to third-party vendors, including “cloud” providers. A 2012 Ponemon benchmark study found that over 41% of U.S. data breaches are caused by third parties’ errors, including “when protected data is in the hands of outsourcers, cloud providers and business partners.” Third party errors also increase the average cost of a breach “by as much as $43 per record” according to the new 2013 study — significant considering the average cost is $188 per record.
Insurance can play a vital role in a company’s overall strategy to address and mitigate cyber risk. Insurers are marketing newer insurance products specifically tailored to cover cyber risks, and these products can be extremely valuable. But choosing the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the market, each with their own different terms and conditions.
One important question to ask when buying cyber insurance coverage is whether the coverage extends to information in the hands of third parties, including cloud service providers. A company probably would expect to have insurance coverage if a cloud vendor’s network security failure results in liability for the company. Unfortunately, many “off the shelf” cyber policies may limit the scope of coverage to the insured’s own acts and omissions (not the acts and omissions of third parties), or to information in the “care, custody or control” of the insured. A cyber policy should be clear that there is coverage for data managed by third party cloud vendors.
Likewise, in addition to third party liability, a company can suffer loss of its own data arising from a cloud provider’s network security failure and/or business interruption loss arising from the inability to access data, applications or other cloud provider services. Again, many “off the shelf” policies may not protect the insured for losses originating from a cloud provider, or may sublimit the coverage (for example, the policy may have a policy limit of $10 million, but a $500,000 sublimit applicable to business interruption originating from a cloud provider). A policy should be clear that coverage is provided for loss or interruption of business originating from a cloud provider. Of course, companies should also be cautious when selecting a cloud provider and should pay close attention to indemnity provisions.
The “good” news is that the cyber insurance market is soft and coverage for third party cloud vendors can be achieved — often for no increase in premium. Importantly, however, successful placement of cyber coverage typically requires the input not only of the company’s risk management department and the broker, but also of in-house legal counsel and IT resources, compliance personnel and, of course, insurance coverage counsel.