Cloud and Data Protection Insurance: Coverage for Preserving Our Lives Online

The insurance industry’s move to the cloud has reached critical mass. Today, many insurers are not only storing data in the cloud, but also using software platforms and other tools to leverage cloud-based data in new ways, says Nischal Kapoor at IBM.

The rise of the cloud has brought with it a corresponding rise in demand for insurance coverage for cloud-based risks, including data loss and cyber attacks. Known as cloud insurance, cyber insurance or data protection insurance, this coverage gives customers peace of mind when leveraging the opportunities that cloud computing provides.

Cloud insurance also represents an opportunity for insurers not only to use the cloud themselves, but to build business and customer relationships by providing a needed and desired insurance product.

What Is Data Protection Insurance?

Data breaches are expensive, particularly in the United States. The total average cost of a data breach in the U.S. is $8.19 million, which is more than twice the global average, says Larry Ponemon, chairman and founder of the Ponemon Institute, which focuses on privacy and data protection. Additionally, the average amount of time it takes an organization to identify and contain a data breach is counted in weeks and months.

Data protection insurance protects organizations in the event of a data breach or loss, says Chris Brook at Data Insider. Often, it’s included in a policy that also covers data losses caused by non-malicious events, like a power outage or property damage at a server facility that hosts the customer’s cloud-based data. There is also coverage for cyber attacks that focuses on the losses surrounding an attempt to steal data.

Currently, many cyber insurance policies are folded in with existing business liability policies, says Andrzej Kawalec, former CTO of Vodafone. These policies are often one-size-fits-all. Other times, they may be ill-defined, indistinguishable from the existing business liability policy or inadequate to address known data loss risks.

With these shortcomings in mind, Kawalec recommends a different approach to cloud and data protection coverage. “This will enable carriers to improve loss ratios while simultaneously giving customers better policies aligned with their specific business risk,” he says.

Government, Data Protection and Insurance

The passage of the EU’s General Data Protection Regulation (GDPR), along with discussion of similar laws in various U.S. jurisdictions like California, has spurred many businesses to think more carefully about data protection risks and how to address them.

“We are seeing a lot more interest in cyber coverage,” says Mark Camillo, head of cyber for EMEA at AIG. In fact, AIG says its European cyber business increased 50 percent between May 2017 and May 2018, as more businesses sought coverage specifically for their online data and operations in the face of the GDPR.

For example, the GDPR requires many organizations to appoint an independent data protection officer (DPO), whose role is to monitor data security and ensure GDPR compliance. The creation of a DPO position may require businesses to review and change their existing cyber insurance, or it may prompt the purchase of additional coverage, say Dan Burke and Priya Cherian Huskins at Woodruff Sawyer.

In the U.S., businesses are facing a patchwork of data security laws and regulations. For instance, South Carolina recently adopted a data security act that is similar to a set of regulations for data security created by New York. California, Rhode Island and a number of other states are also considering legislation, affecting companies that seek to do business inside their borders, says Christopher M. Brubaker at PropertyCasualty360.

These, along with the public’s increasing awareness of data breach risks and willingness to sue when they perceive themselves harmed by a breach, is also spurring interest in cloud and data protection insurance.

However, many customers don’t understand the risks surrounding cloud-based data, nor does federal law yet provide uniform guidance on all aspects of cyber security breaches and data protection, says Nat Wienecke at the Property Casualty Insurers Association of America (PCIAA). While this confusion can make the development of data protection insurance products more challenging, it can also pose a business opportunity for insurers.

Building Business in Cloud and Data Protection Insurance

Not all customers understand the need for data protection coverage, whether or not their systems are cloud-based. Even when a need exists, customers may not understand that laws creating a need for coverage — like the GDPR or various U.S. state laws — apply to their business, says Kovrr CEO Yakir Golan.

Insurance companies can seize the opportunity hidden in this confusion, educating customers as well as meeting their needs.

Laws like the EU’s General Data Protection Regulation (GDPR) initially caused some concern for insurers. Rather than being seen as an opportunity to improve risk analysis and customer communication, some saw it as a threat.

GDPR and similar laws raise concerns for both insurance and other businesses because of their broad approach to data protection. For example, under GDPR, “violations can arise even when there has been no breach of protected information. Companies can be fined simply for failing to comply with the terms of their own privacy policy,” says Joshua Motta, co-founder and CEO of Coalition, which specializes in cyber insurance coverage.

When data protection laws create new risks surrounding data collection or the use of cloud storage, existing liability policies may fail to provide protection that customers want and need. When insurers attempt to bundle data protection under other liability coverage, customers may be left without the coverage they need (and would have been happy to pay for).

A lack of transparency in how cyber insurance is priced may serve neither insurers nor customers, researcher Sasha Romanovsky and co-authors write in a 2019 article in the Journal of Cybersecurity. Romanovsky and team analyzed cyber insurance policies to determine what risks these policies are currently covering and how carriers gather information to analyze those risks.

When insurers use outdated methods to understand risks or price insurance products, both they and their customers may end up dissatisfied. Staying on top of these changes is essential for insurance companies seeking to capture and maintain loyal customers.

Could European Laws Help American Insurers?

The demands of the GDPR and similar state data protection laws have caused headaches for many in insurance leadership. These laws, however, also present an opportunity to insurance companies by creating space for insurers to become the resident experts on cyber risk.

Because laws like the GDPR require information on cyber attacks to be collected, they may actually help insurance companies price data protection coverage more effectively, says Mark Bannon, who works in Cyber Liability at Zurich Insurance. This information could also help insurers offer a level of expertise on cyber risks that businesses need.

Currently, businesses seek cyber risk insurance in order to meet various goals, says Bannon. Demand for cloud and data protection coverage, however, can be complicated both by what companies know about cyber attack risks and by what they don’t yet understand.

Insurance companies that leverage information on cyber attacks and other risks to better understand the cloud ecosystem can position themselves as subject matter experts on cloud and data protection. This helps them strengthen their relationship with customers by serving both as a source of information and as a solution to the problem of cyber risk.

Images by: sashkin7/©, foodandmore/©, dotshock/©