National Underwriter - March 12, 2012

concerns that businesses should have about the cloud. In addition to insurance and specific risk management approaches, Nigam emphasized the importance of choosing what he has dubbed “CIA vendors” — meaning those cloud technology providers that offer “confidentiality, integrity, and availability.” Nigam also warned against focusing narrowly on cloud or any other risks, saying that a holistic point of view is required to protect organizations from diverse potential threats to information safety, security, and privacy.

Security and Privacy Risks Rival Traditional
P&C Exposures

Adding further detail to the picture Nigam painted, the three Zurich experts made it clear that information security, privacy threats, and cyber-related exposures should be perceived and addressed with the same level of concern as traditional property and casualty exposures. Gregg Fergot, vice president and head of technology underwriting at Zurich North America, kicked off an in-depth discussion on the risk management strategies and insurance coverage needed to protect companies’ information, intellectual assets, and reputation.

Most companies of any significant size have already “done the basics” — putting in firewalls, encrypting data, and maintaining up-to-date information security protocols — to protect their information-related assets, noted Larry Collins, vice president for HSE risk engineering and e-solutions at Zurich Services Corp. The question is how to go beyond this and actually anticipate risks that potentially face the business from all quarters.

As an illustrative example, Collins cited the “Night Dragon”
attacks on oil and gas companies in 2009, noting that these
were carefully targeted rather than random malicious
efforts. “The attackers were trying to figure out how
to underbid competitors to ensure they would
win contracts when the went into
competition with these energy
companies,” he explained.

In addition to technology-based
corporate espionage, Collins also
flagged increasing incidents of
what’s been dubbed “cyber
hacktivism” — recruiting and
mobilizing large numbers of
participants who non-violently
use “illegal or legally ambiguous
digital tools in pursuit of political
ends.” Furthermore, cloud hacking
— known as “hyperjacking” — has
emerged with the rapid growth of
cloud computing; similarly, the
proliferation of powerful mobile
devices such as smart phones, laptops
and tablet computers has spawned
malicious efforts to hack into these
mobile devices.

To systematically mitigate a diversity of risks, Collins recommended “a scenario-based process to understand your exposures and to identify vulnerabilities.” In this process, hazards are identified and assessed, their risk profiles ranked, and risk improvement actions put in place to address these with the appropriate prioritization. Expect this process to involve robust discussion and diverging viewpoints, he warned; the effort just to “create a simple chart to categorize acceptable and unacceptable risks” can result in “a heated conversation with your team.”

Financial Impact, Risk Transfer, and Coverage
Considerations

Data breaches and other cyber losses have many costs that are at least partially transferrable, noted Tim Stapleton, CIPP/US, who is assistant vice president and professional liability product manager at Zurich North America. Looking at a data breach example, an insured’s transferrable costs can include direct expenses associated with crisis and reputation management, forensics investigation costs, the costs associated with notification to customers or others impacted by the breach, and business interruption costs. Third-party liabilities involved with some data breaches can include regulatory fines and penalties as well as legal liability, Stapleton added.

When it comes to data breaches and other losses associated with the cloud, companies need to be careful to protect themselves and not rely solely on vendors, said Stapleton.

“The reality is that most cloud providers cannot afford to indemnify everybody for losses,” he said.

To ensure adequate insurance cover for a diversity of potential cyber and information-security losses, Stapleton pointed webinar attendees to three key areas: errors and omissions policies (which cloud providers often purchase for basic coverage), security and privacy liability coverage, and vendor services such as immediate support in the case of a breach.

“In many cases, adequate coverage can reduce the blow to the balance sheet and cover a good portion of transferrable costs,” Stapleton said, adding that “no two E&O or security and privacy policies are alike — so be sure to compare each one to check for crucial elements” that apply to your particular business exposures.

View the web seminar at

http://www.propertycasualty360.com/TheCloud

John W. De Witt, an event moderator and contributing editor for National Underwriter Property & Casualty, PropertyCasualty360, and other insurance industry publications, is principal and senior consultant for JW De Witt Business Communications in New Salem, Mass.