Template:Choosing and Implementing a Cloud-based Service for Your Laboratory/Organizational cloud computing risk management/A brief note on cloud-inclusive cybersecurity insurance
3.3 A brief note on cloud-inclusive cybersecurity insurance
In January 2020, law firm Woodruf Sawyer indicated that among its business clients, the percentage of those organizations acquiring cybersecurity insurance coverage increased from 22 percent in 2016 to 39 percent in 2019, with that number expected to rise.[1] In 2023, Network Assured found the percentage of organizations with some form of cybersecurity insurance had gone up to 55 percent, with cybersecurity insurance claims increasing 100 percent since 2020.[2] Though the concept of cyber insurance has been around for several decades, it certainly has gained traction as a more popular offering in recent years. Initial adoption has often been hampered by the perception that issuers of such policies will rarely pay. But as companies like Merck, Equifax, and Marriott demonstrate that payment under cyber insurance policies is possible[1], questions remain about the value and availability of cybersecurity insurance, particularly when cloud computing is involved.
In their 2020 paper for the Carnegie Endowment, Levite and Kalwani shared their educated opinion on the cybersecurity insurance market as it relates to cloud computing[3]:
Another important regulatory priority in the category of resilience is insurance as a risk channeling mechanism, to offset physical or financial damages resulting from cloud failures ... At present, little recourse is available to CSPs or the consumer to address such serious and likely scenarios. The nascent cloud insurance market does not currently offer extensive solutions to this predicament, in part because of serious concern for the systemic risk that accumulates as a result of the cloud’s market concentration and the potential for cascading effects. System failures could potentially affect many different parties at once, trickling upward, downward, and sideways, and resulting in a mass of claims that could prove excessive for insurers and reinsurers to cover. Regulators’ concerns over the solvency of (re)insurers that underwrite cloud services in these domains are bound to further slow down expansion of insurance for cloud service business interruptions, especially as they pertain to coverage of damages to third parties.
Levite and Kalwani touch upon the increasingly concentrated nature of cloud services, as mentioned in Chapter 2. The topic is also tangentially discussed by Woodruff Sawyer's Lauri Floresca, but from the perspective of the multitenant nature of public cloud. "If an insurer writes 10,000 policies for customers of one cloud vendor, and every single one of them makes a claim because of a breach, that’s an aggregation problem for the insurer," they note in a July 2020 Insights post.[4] These and other considerations bring about questions concerning how insurers will tighten policies and what insurers may or may not cover going forward in the 2020s. As such, this topic of what existing cybersecurity insurance policy writers will and will not cover, and how much—if any—of the policy addresses third-party cloud providers, deserves a brief but closer look.
When approaching an insurer about cybersecurity (cyber) insurance, one of the first questions asked should be how cloud computing affects their policies. A quality insurer will make clear in its policy definitions and other documentation what actually constitutes being in the cloud, stating that the "computer system" of an insured organization extends to third-party networks. However, it's important to note that not only does the idea of shared responsibility between the organization and the CSP still stand, but also the concept of who the "data owner" or originator of any affected data is: your organization. In regulated environments where protected health information (PHI) is created and managed, that ownership may be extended to the CSP via, e.g., the Health Insurance Portability and Accountability Act's (HIPAA's) requirement for business associate agreements. Ultimately your organization is still the primary data owner and holds much of the liability.[4] This is a primary reason to consider the value of cyber insurance that extends to the cloud.
However, as Floresca notes, the onus isn't exclusively placed on the organization to acquire insurance[4]:
Even if you carry your own cyber insurance, however, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient.
But what does cyber insurance in 2023 actually look like? What does it cover? From our five risk categories described earlier, we find that data security and regulatory risk, as well as operational risk, are where most cyber risks will be found. Those categories of risk are addressed in some fashion by cyber insurance through a number of insuring agreements: network security, privacy liability, network business interruption, media liability, and errors and omissions (E&O). These are explained further below[5]:
- Network security coverage grant: This covers your organization should a data breach, malware infection, cyber extortion effort, ransomware attack, or email phishing scam compromise your network security or cause it to fail. Coverage can expand to both first- and third-party costs, including legal expenses, digital forensics (also mention in Chapter 2), data restoration, customer notification, public relations consulting, and more.
- Privacy liability coverage: This covers your organization should government regulatory investigations, law enforcement investigations, legal contract obligations, or other such circumstances surrounding a cyber-incident or regulatory breach incur costs upon the organization. Coverage can expand to both first- and third-party costs, including costs from litigation defense, settlements, fines, and penalties.
- Network business interruption coverage: This covers your organization should third-party hacks, failed software patches, human error, or other such circumstances cause security failures. Organizations can recover lost profits, fixed expenses, and other additional costs, depending on the policy.
- Media liability coverage: This covers you organization should someone infringe upon your intellectual property. Though not directly related to security, this form of legal protection is often a part of cyber insurance, providing coverage for losses associated with non-patent infringement losses from both online and print advertising of your services.
- Errors and omissions (E&O): This covers your organizations from, essentially, breach of contractual obligation. In the case of cloud, this would mean the CSP failed in the performance of their services by, e.g., allowing a breach of the organization's cloud data.[4] Coverage includes legal defense costs or other indemnification as a result of a dispute with not only a CSP but also one of your customers.
However, as the number of claims have risen into 2023, insurers are upping the requirements they place on the insured. Of key importance is noting the close positive correlation between the insured having poor cloud security policies and misconfigured cloud systems, and the fact that cyber insurance claims are increasing. As AgileIT notes, "businesses seeking cyber insurance will be mandated to strengthen their cloud security postures and particularly show how they will minimize misconfigurations" before qualifying for insurance.[6] Other additional considerations insurers may make include whether or not your lab has an extended detection and response (XDR) plan, robust vulnerability prioritization strategies, and incident response service provider utilization.[6]
Ultimately, it's up to you, the organization, to decide how to approach cloud-inclusive cyber insurance. Does your organization consider acquiring this type of insurance? Can your organization supply all the information a potential cyber insurance underwriter may ask for as part of the process? Can your lab meet the growing list of requirements from insurers? Do your potential CSP candidates have their own cyber insurance, and what does that insurance address? In the end, despite applying significant effort to your organization's approaches to risk management and security controls, the organization will need to look at costly risks as a matter of "when," not "if." If the potential consequences would be too detrimental to the organization, cyber insurance for your cloud expansion may be due. Just know that acquiring that insurance won't necessarily be straightforward.
- ↑ 1.0 1.1 Floresca, L. (23 January 2020). "Buying Cyber Insurance: It May Be Required, But Is It Worth It?". Insights. Woodruff Sawyer. https://woodruffsawyer.com/cyber-liability/is-buying-cyber-insurance-worth-it/. Retrieved 28 July 2023.
- ↑ Cole, N. (2 May 2023). "23 Eye-Opening Cybersecurity Insurance Statistics (2023)". https://networkassured.com/security/cybersecurity-insurance-statistics/. Retrieved 15 August 2023.
- ↑ Levite, A.; Kalwani, G. (9 November 2020). "Cloud Governance Challenges: A Survey of Policy and Regulatory Issues". Carnegie Endowment for International Peace. https://carnegieendowment.org/2020/11/09/cloud-governance-challenges-survey-of-policy-and-regulatory-issues-pub-83124. Retrieved 28 July 2023.
- ↑ 4.0 4.1 4.2 4.3 Floresca, L. (9 July 2020). "Cloud Computing Risk and Cyber Liability Insurance". Insights. Woodruff Sawyer. https://woodruffsawyer.com/cyber-liability/cloud-computing/. Retrieved 28 July 2023.
- ↑ Burke, D. (10 October 2022). "Cyber 101: Understand the Basics of Cyber Liability Insurance". Insights. Woodruff Sawyer. https://woodruffsawyer.com/cyber-liability/cyber-101-liability-insurance/. Retrieved 28 July 2023.
- ↑ 6.0 6.1 "Changes to Cybersecurity Insurance in 2023". AgileIT. 24 March 2023. https://www.agileit.com/news/changes-to-cybersecurity-insurance-in-2023/. Retrieved 15 August 2023.
