Many businesses are turning to the cloud for their IT services. The cloud provides reasonably priced access to the latest software and technology without the need for a business to make significant investments themselves.
There are numerous cloud suppliers including firms like Microsoft, Amazon, Apple, Xero, One Net, Spark etc. The list is huge and ranges from giant companies to quite small, niche operators. It’s estimated that by 2019 83% of data traffic will be cloud based (currently it’s at 65%).
But, while the cloud provides its customers with some huge advantages, there are also inherent risks that need to be considered along the way:
- Typically cloud service providers will limit their liability through the contract their customer signs. Quite often this limitation will be very tight and will afford the customer little or no rights of recovery against a cloud service provider. In the event that a customer of a cloud provider suffers a loss because of a loss of data/operations then the chances of making a financial recovery from the cloud provider will be limited at best
- Cloud customers are liable for their data irrespective of where it is stored. A breach of data stored on the cloud will still be the responsibility of the owner of the data and not the cloud provider. So any legal liability, fines, notification costs will be the customer’s irrespective of the cause or location of the data breach
- Cloud service providers give customers access to the most up-to-date security. However; the weakest links in all IT systems are the operators. No matter what the level of security there is no software-based answer to human error such as sending e-mails to wrong addresses, inadvertently disclosing confidential information or passwords, etc.
- In the event of a data breach caused by the cloud provider’s customer’s actions i.e. the negligence of an employee then the chances are the contract terms will exclude any liability at all on the part of the cloud provider
- With the limited protection afforded under the cloud service contract it is unlikely that a customer would be able to recover costs incurred by their business if there was a cyber event or data breach
– even if it’s in the cloud. So costs such as business interruption, restoration of data and public relations are not going to be recoverable without resorting to litigation against the cloud provider and perhaps, not even after that
- The cloud provides access to the latest editions of security tools such as fire walls and anti-virus software. However, the security can only respond to known threats. Hackers are discovering new software weaknesses every day and exploit what are known as zero day vulnerabilities to attack systems before any protection can be deployed. Even with their enhanced security cloud service providers are vulnerable to these attacks
- Because of the success of the cloud it’s become a target for hackers. So while data in the cloud is often better protected, it is also more exposed because it’s seen as an attractive target for the bad guys
- There are legal implications of where data is stored. Where a cloud provider hosts their data isn’t always disclosed and is quite often not in New Zealand. A breach of confidential data stored by a
cloud provider could expose their customer to the laws of the country where the data is hosted and these may not be as favourable as NZ laws resulting in extended liability
Most of the Cyber Insurance products in the market extend to cover the Insured for an event or breach on a cloud network. CyberSAFE defines a computer network to “also include a Computer Network that is under the operational control of a Service Provider”.
With CyberSAFE a breach occurring on a cloud based network would be an insured event and, subject to policy terms and conditions, will give the insured access to:
- Cover for legal liability to third parties
- Cover for fines & penalties for privacy breaches
- Defence costs
- Business Interruption costs
- Public Relations costs
- Data restoration/recovery costs
- Ransom monies
Even if the cloud service provider is liable for the cause of the cyber event/data breach it is extremely unlikely that they will indemnify their client for any costs or liability and, even if they do, it may be for a limited amount and the management of the recovery/defence will be outside of the customer’s control.
Visit: www.crombielockwood.co.nz/cyber-insurance for more on CyberSAFE.