By Scott Godes, Kara Cleary and Heidi Fessler In part two of this series, we continuing exploring the benefits, risks and insurance coverage issues associated with the cloud. Read part one here. Insurance Coverage Issues for the Cloud In addition to the insurance best practices mentioned in part one, the cloud can raise multiple insurance issues that should be considered carefully. For example, how would insurance provide coverage to the cloud provider or the user if there were a data breach or denial of service attack? But, there are other events in the cyberspace that both cloud providers and users should consider, such as the situation where users cannot access the cloud for data, applications, or other purposes and their business is impacted, as is their customers’ businesses. As a first step, it is a best practice to consider the risks involved with cloud computing that are particular to your business and use of the cloud. The insurance issues specific to cloud users, depending upon the insurance policy at issue, might differ from the issues specific to cloud providers. It is also a best practice to consider what type of data will be hosted, such as whether the data contains personal identifying information, trade secrets, or other corporate information. Another aspect of that best practice would include consideration of whether and how the cloud contract addresses indemnification for a breach or interruption. Making a review of these issues as a best practice might help to identify the type and scope of coverage your company should consider purchasing. Insurance carriers have started writing exclusions for cyber and privacy liabilities into “non-cyber” insurance policies, and directing policyholders to buy cyber insurance for those risks. The question of whether other insurance policies provide coverage is hotly contested, but can be an expensive dispute that also leads to financial uncertainty for companies. (That said, companies holding non-cyber insurance policies should consider closely whether they provide coverage for cyber-related events after an incident, even if the company also holds cyber insurance.) Even if cloud users carry their own cyber insurance, consider requiring the cloud provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify cloud users if the costs are not coming out of their own pocket. Moreover, payment by the cloud provider’s insurance carrier might be able to be used to fund the cloud user’s deductible or retention (although certain insurance carriers dispute that point) or pay excess costs if the user’s own insurance limits are insufficient. Being informed of the coverages offered is a best practice because cyber insurance policies come in many different forms, which requires a careful analysis of the policy language and exclusions. Beyond seeking broad coverage, with narrow exclusions, below are some basic tips and issues to consider:
- For cloud users, look at whether cloud computing risks are a covered term addressed specifically and clearly in your policy. If it is not, review the definition of terms like “computer system” and “network” to determine how broadly coverage is written.
- For cloud users and providers, review the total limits, sub-limits, and deductibles, particularly those applicable to cloud-related risks
- Confirm the geographic scope of coverage
- Consider indemnification exclusions for third-party liability
- If you are a provider, consider E&O insurance