Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...

Activate your FREE membership today | Log-in

ENTERPRISE CIO
MIDMARKET
COMPLIANCE
Healthcare
INFORMATION GOVERNANCE EVENT

NEWS
WHITE PAPERS
BRIEFINGS
MULTIMEDIA
TIPS
BLOGS
CIO DECISIONS EZINE
RSS

IT/business mgmt
BPM
Budgets
Careers
Contracts
Cost-cutting
Governance
ITIL and
ITSM
Leadership
Managing
cloud
computing
Offshoring
Onshoring
PPM
ROI
Salaries
Staffing
Training/Certs
Vendor
selection
Verticals
Business software
App dev
App
integration
BI
CPM
CRM
ERP
Open source
SaaS
SOA/Web
services

1 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...

SCM
Web 2.0
Data centers and virtualization
Cloud strategies
Desktops
Email
Green IT
LAN/Wireless
Legacy systems
Mobile
Net management
Operating systems
Remote workers
Server management
Storage
Virtualization
VoIP
DR and BC planning
Business
continuity
Disaster
recovery
Security and risk mgmt
Asset management
Compliance
Data privacy
Legal issues
Risk management
Security

SEARCH this site and the web Powered by Google

Site Index
EMC is the unmatched leader in disk-based backup and recovery

Home
>Topics
>Enterprise data centers and virtualization
>Cloud computing for enterprise CIOs
>Cyber insurance mitigates the risk of data breaches in cloud computing

Print
Email This

CIO News:

Cyber insurance mitigates the risk of data breaches

in cloud computing
By Laura Smith Features Writer

2 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...

19 Aug 2010 | SearchCIO.com

IT news and analysis for CIOs

Digg This
Stumble
Delicious
Google Fusion

More on cyber risk and insurance

Cyber insurance supplements, not replaces, data breach security

IT chargeback: A fundamental part of cloud computing takes shape

The manager of a fine hotel would never allow an electrician or plumber to work without being insured; it's
standard fare on service contracts in the physical world. Not so in cloud computing, where provider coverage in
the form of cyber insurance is far from a given. This undoubtedly will change as businesses push providers to
share the risks of a data breach or unexpected downtime, experts said.

Such large cloud computing providers as Salesforce.com Inc. do carry cyber insurance to mitigate the risk of data
breaches or unexpected downtime, but "smaller providers are not carrying insurance and have no plan to [do so]
until the larger customers push back and say, 'You're in our risk profile now,'" said Drew Bartkiewicz, vice
president of technology and new media markets at The Hartford Financial Services Group, a cyber insurance
company based in New York.

For the cloud computing model to work, cloud customers, as well as cloud providers, need to share the risk,
according to Drue Reeves, director of research for the Burton Group in Midvale, Utah. If a provider were wholly
responsible for the data of hundreds or thousands of tenants, it simply wouldn't be able to buy enough insurance
to cover the liability. To protect themselves in this risky situation, cyber insurers generally cap their policies at
$10 million or $15 million, forcing providers and large customers to keep shopping, experts said.

"It's basically the rule, not the exception, that a large technology provider, which is essentially what cloud
companies are, will buy a primary policy and add layers to create a massive insurance policy," said Robert Parisi,
senior vice president at Marsh Inc., a cyber insurance broker and risk adviser in New York, who participated in a
panel of lawyers and insurance brokers at the Burton Group's recent Catalyst conference in San Diego.

Salesforce.com, for example, carries cyber insurance policies into the "tens of millions," according to John Moss,
deputy chief counsel and head of commercial practices at the San Francisco-based company. Yet that amount
pales in comparison to the "potential for catastrophic loss in the billions," he said. Unlike on-premises
applications, where the data resides at the customer's facility, Salesforce.com sits on data provided by 70,000
customers. "There's a big liability difference and a big potential exposure difference, both for the vendor and the
customer."

Financing cloud risk

There are lots of reasons why some cloud providers don't buy insurance. Among them: They think they won't get
hit, they spend more on security technology than the next cloud provider -- and nobody says they have to.
Because most of the cases involving data breaches have been settled out of court, the legal principles that guide
such measures have yet to be formed, experts said.

Thus, both the provider and customer need to protect themselves through risk transfer, Reeves said, suggesting
insurance might not be the only way to do it: "Maybe they both have a risk policy, or both have risk mitigation
along with an exit strategy, or they spread the applications across multiple cloud providers." Actuarial-based
means are a poor way to transfer risk, he said. If the industry is truly going toward a utility model, "It's better to
do it with derivatives and futures, but those markets don't exist yet."

Smaller providers are not carrying insurance and have no plan to do so until the larger customers

3 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...

push back and say, "You're in our risk profile now."

Drew Bartkiewicz, vice president of technology and new media markets, The Hartford Financial
Services Group

Traditional industries -- banking, energy, retail and law, for example -- are buying cyber risk insurance at a faster
clip than technology providers are because they understand the laws of unintended consequences, Bartkiewicz
said. "The economics of failure are quite catastrophic. These are stock-impacting events, not peripheral IT
nuisances."

With supply chains becoming "liability chains," cloud providers and large businesses are hedging with $100
million or $500 million in cyber insurance backstops. "That might cost, let's say, $15 million or $20 million,"
Bartkiewicz said. This will lead to economic discussions, such as "is that money better spent there for
shareholder protection, or on $15 or $20 million worth of technology for security?" he added.

The question becomes, "Am I buying insurance for my own negligence or for the negligence of the people I do
business with?" said Marsh's Parisi. It's similar to the owner of a building who hires an architect to do some work,
and purchases an insurance policy to cover the architect's liability, he said. "We've reached something like that
with the cyber and e-commerce insurance. A standard part of a contract is a set of insurance requirements, and
often what we will see among providers and customers is a give and take [over who carries what type of
insurance]."

When cloud providers head down the rabbit trail

The scope of liability in a worst-case scenario is beyond our expectations, the experts said. With cloud providers
layering, or "stacking," insurance policies to give themselves a cyber cushion, analysts worry that enterprises are
aggregating risk among a few giant insurers, which will be able to assume only so much risk. "Do we run out of
insurance providers? At some point, I think we do," Burton Group's Reeves said. "Will they become too big to
fail, another AIG?"

Or what happens when several Fortune 500 companies put their apps on a cloud that fails? "If the [insurance]
provider goes down, it could actually hurt the GDP," Reeves said. Or what if a cloud provider goes bankrupt?
Usually, the first people to get a crack at money are the creditors, he said. "If that means selling off equipment,
there needs to be some sort of escrow fund so that the provider can operate long enough -- say, 30 days -- for the
consumers to retrieve their data."

Ultimately, the cloud should enable computing resources to be bought and sold like electricity, with an open
market exchange providing an option to buy compute power from someone else when a provider fails, Reeves
said.

Let us know what you think about the story; email Laura Smith, Features Writer.

Tags: Cloud computing for enterprise CIOs, Web 2.0 applications, Supply chain management software, VIEW
ALL TAGS

Digg This
Stumble
Delicious
Google Fusion

CIO RELATED LINKS

Ads by Google

Security Policy TemplatesSave time & money. Updatedinformation security

policies.www.informationshield.com
Master Insurance & RiskTop Italian Business SchoolScholarships & International
Careerwww.MIB.edu/mirm
Business Data SecurityBlock Data Theft.Business Data Security. Try now!www.MyUSBOnly.com

4 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...

Collateral ManagementEffectively mitigate risk exposure.Automate your processes.www.omgeo.com

Related Content

Cloud computing for enterprise CIOs

Pillars of cloud provisioning: self-service, automation and policy

Five top concerns about cloud service providers
How the chargeback process will alter the IT-business relationship
Shifting IT business models in time of economic crisis
Cloud computing management guide for enterprise CIOs
Private cloud replaces antiquated IT infrastructure for $300K per year
Cloud computing overview: 12 reasons to love it or leave it
Time to lay down the cloud computing law for uptime
2010 information technology plans will have smaller budgets
Cloud computing identity management standards could push cloud use

Web 2.0 applications

Facebook's professional potential evolves

Keys to safer, better blogging
Geezers revolt: Age discrimination tops the best CIO stories of 2006
C-level bloggers follow the rules
CIO returns from two years as operations SVP ready to drive IT value
IT execs eager to exploit Web 2.0 wave
Information security part of maintaining customer loyalty, experts say
Managing online reputation growing problem for businesses
2006 outlook: Open source, offshoring, Web 2.0
Facebook, MySpace tolerated by businesses, survey says

Supply chain management software

Does RFID equal ROI?

Supply chain risk: Deal with it
RFID: Obstacles and infrastructures
Precision retailing
As deadline nears, opinions weigh on side of failure for Oracle
Forrester event offers look at new technologies for a connected world
CIO water cooler: Reaction to HP's Mott move
RFID certification push may be premature, experts say
Vertical Views: Midsized manufacturers grow with globalization
Allstate in good hands with outsource management software

Related Resources

2020software.com, trial software downloads for accounting software, ERP software, CRM software and
business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

Go to searchcio-midmarket.bitpipe.com

5 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...

CIO solution center has news, research, and guides to assist theunique challenges of the CIO

6 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...

SEARCH

About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS

TechTarget provides technology professionals with the information they need to perform their jobs - from
developing strategy, to making cost-effective purchase decisions and managing their organizations' technology
projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site | Media Kits | Reprints | Site Map

All Rights Reserved, Copyright 2007 - 2010, TechTarget | Read our Privacy Statement

TechTarget - The IT Media ROI Experts

7 of 7 21/8/2010 21:05