You have insurance for your house, your car and maybe your boat. Why not buy insurance for your cloud storage?
Yes, there is such a thing as cloud insurance. It's an off-shoot of cyber insurance that has been around since the late 1990s, but is gaining popularity because of lingering concerns over cloud security and unsatisfactory service-level agreements (SLA), according to insurance and IT industry reports.
In April, the International Association of Cloud and Managed Service Providers (MSPAlliance), announced a cloud insurance initiative for its members along with its partner, Lockton Affinity.
Charles Weaver, CEO of the MSPAlliance, said a cloud insurance scenario might work like this: A RAID drive breaks in the cloud, and the customer is fined by a regulatory agency -- possibly in the health care or banking industries -- due to the outage.
"In that scenario, there could be a physical cost to the customer, and the customer would likely say to the MSP, 'You are going to pay this bill,'" Weaver said. "The MSP's insurance policy, in that case, would protect the provider and the client."
Even in cases where no data was lost and the data was never breached, regulatory agencies in some highly regulated verticals have levied fines, Weaver said.
Providers should have cloud insurance the way professionals in any industry do, Weaver said. He said the insurance is aimed mainly at covering the MSP, but does provide some coverage for the customer.
"While I don't like to sell fear, many of the worst possible outcomes of cloud computing are coming to life," Weaver said. "It's no longer a technical issue. Now [security concerns are] a very real thing, and your customer is more than likely going to ask you about it."
SLAs seen as lacking
Cloud outages are hardly a rarity, but no monetary payoff can buy back your data if it can't be recovered. SLAs can't do that either, though, and that is all users have to fall back on without cloud insurance.
Dissatisfaction with current SLAs is helping to create a need for greater protection, said Arun Taneja, principal and founder of the Taneja Group.
Taneja, who has been reviewing SLAs for cloud customers recently, said, "They do have some clauses in there right now for lack of availability. It's so trivial, though." Most of the compensation is in the form of a "freebie, some service for a month."
Cloud scenarios are ideal for insurance companies, Taneja said. "The risk has been reduced quite heavily [with encryption and other data protection technologies], but it's not zero. That's what [insurance companies] love.
"Other than availability, there is nothing the end user is getting from the provider in terms of cyber insurance -- nothing to do with security or data breaches. Granted, the risk is low because a large amount of that data is sitting there encrypted. But somebody could find the keys and get access to data for 5,000 customers."
Cyber insurance purchased in 2012 averaged $16.8 million across all industries, an increase of nearly 20% over 2011, according to a 2013 Q1 report issued by Marsh USA Inc., which bills itself as the world's largest insurance broker and risk adviser.
C-levels want cloud protection
Health care and education are two industries with a keen interest in cyber insurance. "Certain industries have more sensitivity [to security issues]," said Bob Parisi, network security and privacy practice leader at Marsh. "They seem to buying it faster than anyone else at the moment."
Parisi said many of his customers are CIOs and chief technology officers who were previously skeptical of needing cyber insurance.
"They are hugely concerned about security," Parisi said. "They are concerned about handing the data to a third party. Now, it is a concern they overcome -- but they are concerned." In June, CloudInsure, a New York-based company that offers insurance for cloud providers, announced that Liberty International Underwriters will provide CloudInsure clients with a tool that allows end users to conduct quick online cloud risk assessments and potential insurance packages.
"We marry the cloud service providers with the underwriters -- and their respective risk appetite," said Doug Weeden, director of program administration at CloudInsure, which is a subsidiary of CyberRisk Partners LLS. Weeden said the company, which got its start in 2010, does have a large cloud provider as a partner, but has yet to announce the details.
Weeden said CloudInsure positions its insurance as a competitive edge to providers. The hard part, he said, is getting the cloud providers to detail the ingredients in their "secret sauce" so CloudInsure can, in turn, provide more transparency to underwriters.
"The current risk regime is stacked in the [SLAs'] favor -- and the refusal to negotiate indemnity clauses on their contracts," Weeden said. "In terms of the pitch to them, it's my job [to point out that] they are already taking on these risks. Security, we find, is the No. 1 reason that most companies have not gone to the cloud."