Shine a Spotlight on Cyber “Cloud” Coverage
Originally published July 23, 2013 by Roberta Anderson on https://sce.prospx.com
Every company is at cyber risk. Cyber attacks are on the rise with unprecedented frequency, sophistication, and scale. And, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.
The problem is exacerbated by the trend in outsourcing of data handing, processing, and/or storage to third-party vendors, including “cloud” providers. Insurance can play a vital role in a company’s overall strategy to address and mitigate cyber risk. Insurers are marketing newer insurance products specifically tailored to cover cyber risks, and these products can be extremely valuable.
One important question to ask when buying cyber coverage is whether the coverage extends to information in the hands of third parties, including cloud service providers. A company probably would expect to have insurance coverage if a cloud vendor’s network security failure results in liability for the company. Unfortunately, many “off-the-shelf” cyber policies may limit the scope of coverage to the insured’s own acts and omissions, or to information in the “care, custody, or control” of the insured.
A cyber policy should be clear that there is coverage for data managed by third-party cloud vendors. Likewise, a company can suffer loss of its own data arising from a cloud provider’s network security failure and/or business interruption loss arising from the inability to access cloud provider services.
Again, many “off-the-shelf” policies may not protect the insured, or may sublimit the coverage. The “good” news is that the cyber insurance market is soft, and coverage for third-party cloud vendors can be achieved — often for no increase in premium. Importantly, however, successful placement of cyber coverage often requires the input of in-house legal counsel and experienced outside insurance coverage counsel.