Last week we looked at three issues we believe will be prominent in 2013: consequences of Hurricane Sandy, cyber terrorism and federal legislation. In Part II of our analysis, we look at an additional issue we expect to be important in 2013:
The Cloud. One commentator described the cloud’s development path as entering its “teenage” years in 2013. This seems about right. Simply put, the cloud is a web-based, third party site that hosts data for another. If you use G-Mail or Google docs, then you use the cloud. Its attraction is easy to understand because the cloud:
•avoids the expense of individual servers and licensees;
•eliminates the physical presence of servers on-site, and with them, security and maintenance; and
•permits data to be portable, transferable and instantly accessible.
The understanding and usage of the cloud is increasing. For example, the EPA plans to move 25,000 employees and contractors to Microsoft’s could-based office for emails, calendars and collaboration by early 2013. According to one financial publisher, nearly one-third of private companies’ IT budgets were allocated to the cloud in 2012.
So what does this mean for insurers in 2013?
First, it means insurers need to be aware of the increased use of cloud. Some insurers view the cloud as a simple variation on the out-sourcing theme and therefore covered under a typical cyber risk policy. But the cloud may be more complicated from an insurer’s perspective. For example, oftentimes a cyber policy refers to a “computer network.” But the question the cloud raises is whose computer network? Some policies refer to “the organization’s network”, defined simply as the named insured. Others specifically cover “outsourced IT service providers” that may include cloud-like hosting issues. It is critical for insurers to understand exactly what the cloud is, what it encompasses, and what it means to their specific insured.
In 2013 we also may see more “cloud-only” policies. In that case, some may argue “if the general cyber policy covers the cloud, then why do we need a cloud-specific policy?”
Second, it means insurers must be aware of the consequences if there is a failure of the cloud, by way of beached data security, technological glitches or even the financial stability of the cloud provider. If there is a cloud failure, the most important document will be the service contract between the insured and the cloud provider. Insurers need to know (before they write the coverage) what their insureds have agreed to do in the event of cloud failure. There may be an indemnification obligation on the part of the insured – so not only has the insurer insured the policyholder but also some acts of the cloud provider. All parties need to be sure the insurance matches up to whatever indemnification protections may exist.
Third, it means insurers need to be aware of the concept of “aggregation.” Imagine a dozen policyholders who have entrusted their data to a single server provider. If there is a cloud failure, there may be problems for all the companies that outsourced their data to that cloud provide – and how many of those insureds placed their own risks with a single insurer? Or, if multiple cloud servers go down because of a single lightning bolt (as happened in 2011 when lightning struck a transformer at a power utility station in Dublin, affecting the back systems for Amazon and Microsoft) then how many policyholders of a single insurer are impacted?
Part III (and final) of our 2013 prediction to follow.