Professional Documents
Culture Documents
ENTERPRISE CIO
MIDMARKET
COMPLIANCE
Healthcare
INFORMATION GOVERNANCE EVENT
NEWS
WHITE PAPERS
BRIEFINGS
MULTIMEDIA
TIPS
BLOGS
CIO DECISIONS EZINE
RSS
IT/business mgmt
BPM
Budgets
Careers
Contracts
Cost-cutting
Governance
ITIL and
ITSM
Leadership
Managing
cloud
computing
Offshoring
Onshoring
PPM
ROI
Salaries
Staffing
Training/Certs
Vendor
selection
Verticals
Business software
App dev
App
integration
BI
CPM
CRM
ERP
Open source
SaaS
SOA/Web
services
1 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...
SCM
Web 2.0
Data centers and virtualization
Cloud strategies
Desktops
Email
Green IT
LAN/Wireless
Legacy systems
Mobile
Net management
Operating systems
Remote workers
Server management
Storage
Virtualization
VoIP
DR and BC planning
Business
continuity
Disaster
recovery
Security and risk mgmt
Asset management
Compliance
Data privacy
Legal issues
Risk management
Security
Site Index
EMC is the unmatched leader in disk-based backup and recovery
Home
>Topics
>Enterprise data centers and virtualization
>Cloud computing for enterprise CIOs
>Cyber insurance mitigates the risk of data breaches in cloud computing
Print
Email This
CIO News:
2 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...
Digg This
Stumble
Delicious
Google Fusion
The manager of a fine hotel would never allow an electrician or plumber to work without being insured; it's
standard fare on service contracts in the physical world. Not so in cloud computing, where provider coverage in
the form of cyber insurance is far from a given. This undoubtedly will change as businesses push providers to
share the risks of a data breach or unexpected downtime, experts said.
Such large cloud computing providers as Salesforce.com Inc. do carry cyber insurance to mitigate the risk of data
breaches or unexpected downtime, but "smaller providers are not carrying insurance and have no plan to [do so]
until the larger customers push back and say, 'You're in our risk profile now,'" said Drew Bartkiewicz, vice
president of technology and new media markets at The Hartford Financial Services Group, a cyber insurance
company based in New York.
For the cloud computing model to work, cloud customers, as well as cloud providers, need to share the risk,
according to Drue Reeves, director of research for the Burton Group in Midvale, Utah. If a provider were wholly
responsible for the data of hundreds or thousands of tenants, it simply wouldn't be able to buy enough insurance
to cover the liability. To protect themselves in this risky situation, cyber insurers generally cap their policies at
$10 million or $15 million, forcing providers and large customers to keep shopping, experts said.
"It's basically the rule, not the exception, that a large technology provider, which is essentially what cloud
companies are, will buy a primary policy and add layers to create a massive insurance policy," said Robert Parisi,
senior vice president at Marsh Inc., a cyber insurance broker and risk adviser in New York, who participated in a
panel of lawyers and insurance brokers at the Burton Group's recent Catalyst conference in San Diego.
Salesforce.com, for example, carries cyber insurance policies into the "tens of millions," according to John Moss,
deputy chief counsel and head of commercial practices at the San Francisco-based company. Yet that amount
pales in comparison to the "potential for catastrophic loss in the billions," he said. Unlike on-premises
applications, where the data resides at the customer's facility, Salesforce.com sits on data provided by 70,000
customers. "There's a big liability difference and a big potential exposure difference, both for the vendor and the
customer."
There are lots of reasons why some cloud providers don't buy insurance. Among them: They think they won't get
hit, they spend more on security technology than the next cloud provider -- and nobody says they have to.
Because most of the cases involving data breaches have been settled out of court, the legal principles that guide
such measures have yet to be formed, experts said.
Thus, both the provider and customer need to protect themselves through risk transfer, Reeves said, suggesting
insurance might not be the only way to do it: "Maybe they both have a risk policy, or both have risk mitigation
along with an exit strategy, or they spread the applications across multiple cloud providers." Actuarial-based
means are a poor way to transfer risk, he said. If the industry is truly going toward a utility model, "It's better to
do it with derivatives and futures, but those markets don't exist yet."
Smaller providers are not carrying insurance and have no plan to do so until the larger customers
3 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...
Drew Bartkiewicz, vice president of technology and new media markets, The Hartford Financial
Services Group
Traditional industries -- banking, energy, retail and law, for example -- are buying cyber risk insurance at a faster
clip than technology providers are because they understand the laws of unintended consequences, Bartkiewicz
said. "The economics of failure are quite catastrophic. These are stock-impacting events, not peripheral IT
nuisances."
With supply chains becoming "liability chains," cloud providers and large businesses are hedging with $100
million or $500 million in cyber insurance backstops. "That might cost, let's say, $15 million or $20 million,"
Bartkiewicz said. This will lead to economic discussions, such as "is that money better spent there for
shareholder protection, or on $15 or $20 million worth of technology for security?" he added.
The question becomes, "Am I buying insurance for my own negligence or for the negligence of the people I do
business with?" said Marsh's Parisi. It's similar to the owner of a building who hires an architect to do some work,
and purchases an insurance policy to cover the architect's liability, he said. "We've reached something like that
with the cyber and e-commerce insurance. A standard part of a contract is a set of insurance requirements, and
often what we will see among providers and customers is a give and take [over who carries what type of
insurance]."
The scope of liability in a worst-case scenario is beyond our expectations, the experts said. With cloud providers
layering, or "stacking," insurance policies to give themselves a cyber cushion, analysts worry that enterprises are
aggregating risk among a few giant insurers, which will be able to assume only so much risk. "Do we run out of
insurance providers? At some point, I think we do," Burton Group's Reeves said. "Will they become too big to
fail, another AIG?"
Or what happens when several Fortune 500 companies put their apps on a cloud that fails? "If the [insurance]
provider goes down, it could actually hurt the GDP," Reeves said. Or what if a cloud provider goes bankrupt?
Usually, the first people to get a crack at money are the creditors, he said. "If that means selling off equipment,
there needs to be some sort of escrow fund so that the provider can operate long enough -- say, 30 days -- for the
consumers to retrieve their data."
Ultimately, the cloud should enable computing resources to be bought and sold like electricity, with an open
market exchange providing an option to buy compute power from someone else when a provider fails, Reeves
said.
Let us know what you think about the story; email Laura Smith, Features Writer.
Tags: Cloud computing for enterprise CIOs, Web 2.0 applications, Supply chain management software, VIEW
ALL TAGS
Digg This
Stumble
Delicious
Google Fusion
Ads by Google
4 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...
Related Content
Related Resources
2020software.com, trial software downloads for accounting software, ERP software, CRM software and
business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary
Go to searchcio-midmarket.bitpipe.com
5 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...
CIO solution center has news, research, and guides to assist theunique challenges of the CIO
6 of 7 21/8/2010 21:05
Cyber insurance mitigates the risk of data breaches in cloud computing http://searchcio.techtarget.com/news/2240021040/Cyber-insurance-miti...
SEARCH
About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from
developing strategy, to making cost-effective purchase decisions and managing their organizations' technology
projects - with its network of technology-specific websites, events and online magazines.
All Rights Reserved, Copyright 2007 - 2010, TechTarget | Read our Privacy Statement
7 of 7 21/8/2010 21:05