Cloud Computing and Insuring Risk

Posted by Mark Greisiger

A Q&A with Andreas Schlayer of Munich Re
Cloud computing remains a hot topic in the area of insurance risk, though many companies and insurers are still assessing its impact on IT security. To find out more, I spoke with Andreas Schlayer, who heads the insurance IT risk team at Munich Re.

What are some of your concerns in terms of cloud computing risk exposures impacting Munich Re clients?
In our opinion, cloud computing is likely to become very popular in the future. The main success factors we see are the competitive pricing and the quality of services and products that will be available.

This future prospect calls for something I would best describe as a “supply chain of IT services.” It can combine one or more cloud-based services from one or more providers to create a new product or service. This development is favored by the reasonable lease price for cloud computing power, which allows more and smaller companies to offer competitive services or tools.

From an insurer’s perspective, these IT exposures will be similar to today’s supply chain exposures in property insurance. With the cross-linking of providers increasing in the cloud, a risk scenario we see emerging on the horizon is the blackout of a major cloud service provider. We are concerned that such a blackout could affect a large number of customers who do not even know that their IT depends on this provider.

A risk scenario could look like this: Two students have a brilliant idea for a software tool. Using cloud service provider “A” to scale computing power to industrial size, the two students can target Fortune 500 companies as customers. A blackout of cloud provider “A” would affect all companies that bought the software tool created by the two students plus those companies that have a contract with cloud provider “A” to run their IT.

This type of aggregation is very challenging for insurers to monitor, as it requires making correct assumptions about the number of affected policies per event and the average loss amount per policy.

What are some thoughts/suggestions that you might have as to ways in which a primary cyber liability insurance carrier can offset the cloud aggregation exposures facing their book of business?
I doubt that there will be reliable models available in the near future to quantify the costs of an internet blackout or the knock-on effects caused by the blackout of a large cloud provider.

If they are not able to offset the costs of cloud aggregation exposure, insurance carriers will be forced to limit it in the policy wording. In our opinion, the most effective way to control cloud aggregation exposures is to differentiate between direct and indirect dependencies.1
Direct dependencies are easier to monitor, for instance by asking the insured what companies are providing IT services. Based on this information, the aggregation exposures for cloud providers can be monitored. The insurance carrier can provide higher limits for these exposures than for unmonitored exposures.

Indirect dependencies cannot yet be monitored with reasonable effort. We therefore recommend providing small limits, or excluding losses caused by indirect dependencies, in the policy wording to restrict the aggregation exposures.

In conclusion … 
The cloud comes with many risk issues impacting both insurer and insured business clients. Many of the risks related to cloud computing revolve around contractual risks (e.g. do you own your data once it is uploaded into a third-party cloud? See our eRisk Hub® Cloud Risk Considerations tool).

The commentary offered by Mr. Schlayer is of vital importance to many primary insurance carriers offering cyber liability coverage to entities that already leverage cloud computing, and this trend will continue to grow for various reasons. The potential for a data breach event creates both first-party cyber risk exposure (business interruption) and third-party exposure (class action legal liability). The latter can have systemic implications that impact a sizeable portion of an insurer’s book of business. This aggregation concern is on the minds of many underwriters we support (and Munich Re).

On the loss control side, we are seeing newer technical solutions deployed that can mitigate some cloud exposures, such as encryption solutions (see our prior post on Cloud Security) that allow clients to encrypt/protect customer PII data in a cloud’s “stove pipe”. This type of protection could also give the insured a safe haven from future compliance and liability risks (i.e. they may not need to report their data breach).

—————- ### —————-

1 In policy language, direct dependency means that the reason for the interruption of the cloud service has to be caused by the cloud service provider itself and not by a third party which is part of the provider’s supply chain.
Indirect dependency means that the reason for the interruption of the cloud service has to be caused by a third party (i.e., the cloud service provider’s service provider) that is part of its supply chain.