Many businesses are now utilizing third party companies, also known as cloud providers, for information technology services or storing and protecting data. However, what many of these businesses don’t realize is the loss of income they will face should a technology failure or other interruption occur on the part of the cloud provider.
According to Robert Parisi, Network Security and Privacy Practice leader within Marsh Inc.’s FINPRO Practice in New York, most cyber liability policies do not cover first party business interruption losses caused by a third-party provider.
In instances where the contingent business interruption is covered, there is only a minimal amount provided, typically around $100,000, but not unless the cloud provider is a named vendor on the cyber policy, says Parisi.
“Unless you have a need to make a big investment on the tech side, it makes sense to use these cloud companies,” says Parisi. “It’s not any riskier than doing it yourself, but it is a different risk.”
Many insureds mistakenly think that because they are using a cloud provider their systems may be safer, or that it is not their problem if something goes wrong with the tech company they work with. Unfortunately, says Parisi, anytime an insured works with a third party or makes a process more complicated and sophisticated, this is building a potential risk into it.
“The more complex your system is, the more susceptible it is to problems,” he says. “Outsourcing something to a third party is increasing risk because there are more moving parts.”
Certain industries including retail, healthcare and higher education are among the most vulnerable to privacy exposures, while other industries such as manufacturing, life sciences, pharmaceuticals, steel industries, and power generation companies have a greater susceptibility to business interruption if technology fails because it prohibits them from doing their jobs.
Through discussions with clients, Marsh found that this coverage gap needed to be addressed and developed CloudProtect, which covers first-party losses that occur because of a cloud service provider failure. Failures can be caused by: cyber attack; insolvency; breakdown in technology infrastructure not caused by physical damage, such as lost connectivity with the vendor; inability to access the Internet; or other events that disrupt a company’s ability to do business.
The coverage acts as an enhancement to a cyber policy by addressing and enhancing the business interruption and extra expense coverage. The policy covers loss of income, costs incurred from the procurement of service from a new cloud provider, and the costs associated with transitioning to a new provider. The coverage can either address the risk of only key vendors of an insured or on an all risk-all vendor basis.
“The coverage is picking up what happens when the vendor or cloud fails and what causes it,” says Parisi.
Marsh worked with several insurers to develop the coverage with sublimits of $1 million up to $2.5 million on a $5 million policy. The enhancement is available at no additional premium, which is why carriers are being cautious.
“This really is the carriers’ and markets’ first time dipping their toe into this portion of the pool,” says Parisi. “It is unrealistic to expect them to do full limits at no additional premium. The carriers have to get comfortable with the risk.”
The cyber marketplace is currently so competitive that Parisi doesn’t expect the coverage to trigger any rate increases, but carriers will only write those companies they see as good business.
The coverage targets any company that uses a computer system in its operations and is dependent on technology, particularly someone else’s technology. Parisi says that is a very extensive group. “Try and find a business you interact with day-to-day that is not relying on technology in some way,” he says.
With the cloud business continuing to grow (Parisi says it is estimated to reach $150 billion in revenue), Marsh is also looking at creating cloud risk assessment procedures so clients can better understand what their cloud provider does and how the provider should protect a company’s systems.
Parisi believes that agents would also be wise to become more comfortable with the business interruption and extra expense side of this segment, especially considering what insureds could lose.
“An [insured] would never think about not insuring their building or not buying property insurance,” he says. “But then when you look at what your risk to your revenue stream is, it’s not coming from the building being damaged, it’s probably all the technology inside of the building. What happens if there is a glitch in the system? You would be harder pressed to recover and have a greater financial loss than if the second floor floods.”