Why risk transfer for the cloud now?
Cloud has moved from buzz to business critical with Gartner anticipating that spending on cloud applications will reach almost $150 billion by 2014. With enterprise poised for substantial investment, it is critical for customers, providers, and investors to have an informed view of risk, policy, governance, and above all, a strategy for remediation.
Until now, the financial risk of data loss, downtime, business interruption, or a security intrusion within the cloud and other cyberenvironments has been mitigated through the reliance on service level agreements (SLAs) or a contractual indemnity. The first method is fiscally ineffective and the second requires legal remedy. Risk transfer solutions and the race to provide them will be the next instantiation of the commerce of cloud.
Data privacy and security is the top risk for the 21st century. Any company that is not prepared to manage the privacy and security of their data is not ready to do business in the 21st century. Every company that is using technology today, including private, hybrid, and public cloud, must practice appropriate risk management and mitigation measures to deal with loss of data and intellectual property as well as the ongoing data breaches, business interruption, and the ultimate potential damage to their brand and the failure of IT security mitigation measures.
Cloud computing has become normal business practice in 2012. According to a recent study by Mimecast, a SaaS and enterprise email provider, seven out 10 companies are migrating to the cloud with infrastructure, applications, or data. Most companies are starting small, however, most companies do not realize that most of their data may already be in the cloud. For example, if they outsource their payroll to ADP, their most sensitive data may already be in the cloud. To give some perspective to the length of time and the amount of data being processed in the cloud, ADP was processing $1.2 trillion in payments in the cloud environment globally prior to Amazon and Salesforce.com entering cloud computing.
Cloud computing has been around for more than a decade, but I think 2013 really marks the year it will become widely adopted. Consumers and businesses alike are realizing that the cloud offers a variety of solutions to problems that plague computer users daily. Small and midsize businesses are the largest growing segment in cloud computing. Companies that have not switched yet are feeling pressure to do so, and those who have already are seeing the benefits. With the year 2013 on the horizon, we wonder what new trends and innovations the cloud computing industry will bring?
The need for a risk transfer solution
What do insurance and risk management executives think about cloud computing? In September 2012, Advisen Ltd. administered a survey sponsored by Zurich to gain insight into the current state of ongoing trends in IT and cyber security; 8,248 risk managers, insurance buyers, and other risk professionals responded. Respondents were asked, "Does your organization use cloud computing services?" Forty-five percent answered yes. The second question, "Is cloud computing part of your data security risk management process?" Thirty-nine percent answered yes. Most relevant is that risk and insurance executives are aware of their company's operations in the cloud environment and are included in the risk management process -- but not the insurance and risk transfer process. How are they really mitigating the risk and remaining financially whole?
In October 2012, an Amazon breach in northern Virginia left all of their data-warehouse customers with no financial recourse from a power outage that lasted more than four days. Customers lost data and a majority of their customers. Amazon is the largest and one of the most trusted public clouds in the United States and would like to have a warranty or insurance product to offer their customers -- something unavailable to them today. As the industry stands, they are left financially with a loss after a breach, outage, or business interruption.
The risk transfer model and creating a cloud financial market
Creating a stronger line of defense in the SLA is possible if cloud providers could "bake in" the cost of risk transfer to their current SLA and business models. An SLA with insurance to make the end user whole for financial losses will build the needed trust issue for the cloud environment. Today, Amazon is selling upstream to the Fortune 500 and clients are asking for a "customized" SLA agreement that will make them whole for downtime, business interruption, and loss of IP and data. This has not yet been inked in the SLA but it is inevitable -- just like when fire insurance became the norm and changed the losses in the real estate markets for physical and personal property damage. This is, then, a unique opportunity to develop the market for cloud insurance.
Cloud computing is a growth market of the 21st century, a market that will sustain itself and grow revenues as more and more enterprises adopt the cloud model. Concern about capital expenditures and tax policy will inevitably drive more companies to the cloud. As data volumes (and the leverage of that data) continue to grow exponentially, enterprises will recognize that ever-increasing expenditures on a non-core function wastes resources that could be more efficiently transferred to revenue generation. What company will want to manage the real estate and other resources necessary to support the large data centers needed to run their businesses?
"Cloud risk transfer" is the new fire and theft insurance for the technology platform of the 21st century. The risk transfer model created will be the great "risk equalizer" between the technology provider and the end customer, which will ultimately build trust and confidence in the technology supply chain creating a risk transfer product that will reimburse the end user from such risks as fire (breaches, outages) and theft (security breaches, events, and other incidents).
Creating a cloud risk transfer product will support the cyber insurance products, including privacy and security coverage as this new cloud warranty coverage adds specific warranty coverage for enterprises and customers currently either not covered with their cyber insurance policy and for those not able to seek accurate limits for the activity related to cloud environment.
Who is really going to need to embrace the shift to risk transfer?
A majority of technology companies' are looking to add insurance and risk transfer products to their service level agreements. This is a major "risk shift" for the industry.
If you own the technology supply chain of your client from applications, hardware, technology platforms, maintenance, security, storage -- the "whole eco system," including the partners and vendors of your clients -- the risk for the technology supply chain becomes too big to self insure. All these products and services will meet in the cloud environment with software as a service, business process as a service, and Infrastructure as a service. According to Gartner, in 2014 the size of the cloud computing market will be $148.8 billion. All of these technology companies will be managing data and infrastructure in the cloud. The cloud is the new real estate market. Risk transfer for cloud computing is the new property coverage.
Join Mary Beth Borgwing on IE Radio at 2:00 p.m. on Thursday, December 13, where she'll discuss cloud insurance.
— Mary Beth Borgwing is managing director at Standish Risk Management. She is a leading risk and technology senior executive advising high-growth companies on funding strategies and strategic business development, specializing at the intersection of insurance and the cloud.