Insurers lag on cloud cover
Data sovereignty, security, migration and risk mitigation are some of the issues insurers must quickly grasp as more organisations take on the cloud and get ahead of what little cloud cover exists.
Eric Lowenstein, client manager, financial services group of Aon, Sydney, said there was a big gap between what conventional insurance offered and the risks presented by cloud computing.
"There is a broad range of cover options available but these have problems. What are the geographical exclusions in regard to data sent offshore? And there are uncertainties about the definition of networks. Do they include devices like iPads, laptops, etc?" he said.
Lowenstein said the cloud posed risks to many stakeholders. "All stakeholders in the business need to be engaged: IT, marketing legal, communication, as well as the CFO and CEO. This is a new kind of exposure that a lot of entities are taking notice."
In the US there is already the beginnings of a cloud computing insurance industry. In April the MSPAlliance, an association of cloud service providers, announced a partnership with insurance broker Lockton to "offer comprehensive protection for cloud and managed service providers worldwide". But this provides risk mitigation for cloud service providers, not for their customers. Lockton is expanding its activities to Australia
Insurance cover for enterprise users is available from another US-based organisation, CloudInsure, which also has partnered with Lockton. CloudInsure promises to provide indemnity assurance to cloud service providers and enterprises in support of service level agreements, and financial protection for customers "commensurate with their data risk within the cloud".
Paula Eggers, senior associate at Lockton in Australia, said the company's cyber risk activities would be available here. "Lockton in the UK and Asia have just resourced up around cyber risk and that will be rolled out to Australia," she said.
David Vaile, from the Cyberspace Law and Policy Centre at the University of NSW, said there was a big risk associated with data stored offshore, because it was subject to the laws of the host country.
"In the past the cloud has been seen as something just 'out there' - beyond jurisdiction. That is completely wrong. Rather than escaping from jurisdiction in the cloud, you are actually subject to many jurisdictions. And those jurisdictions might not be what
you expect."
Adrian Lawrence, a partner with law firm Baker & McKenzie, warned that the US Patriot Act, which grants wide-ranging powers to US government agencies, could be applied outside the US to any cloud service provider that was owned by, or a subsidiary of, a US company.
"To the extent that a US corporation is involved in the storage of data offshore from the US, the US authorities will assert their right to access that data," he said.
Frequently Asked Questions about this Article…
The article says insurers are struggling to understand new cloud computing risks like data sovereignty, security, migration and network definitions. Aon’s Eric Lowenstein notes there’s a big gap between conventional insurance cover and the risks created by moving systems and data to the cloud.
According to the article, conventional policies often fall short: there are questions about geographical exclusions for data sent offshore and uncertainties about what counts as a network (for example, whether devices like iPads or laptops are included). That creates gaps in cloud coverage for many organisations.
Data sovereignty means data stored offshore is subject to the laws of the host country. The article quotes David Vaile (UNSW) warning that cloud data can be subject to many jurisdictions, which can affect legal access, privacy and regulatory risk — all issues investors should watch in cloud-related businesses.
Yes. The article notes US-based efforts such as an MSPAlliance partnership with broker Lockton to insure cloud and managed service providers, and CloudInsure, which offers indemnity assurance to providers and enterprises and financial protection tied to customers’ data risk. However, some of these products primarily target providers rather than end customers.
The article reports Lockton is expanding activities to Australia and that its cyber risk capabilities being developed in the UK and Asia will be rolled out here, according to Lockton’s Paula Eggers, signaling growing cyber and cloud insurance availability in Australia.
Eric Lowenstein in the article recommends engaging a broad set of stakeholders — IT, marketing, legal, communications, the CFO and the CEO — because cloud exposures cut across many parts of a business and aren’t just an IT issue.
Yes. The article quotes Adrian Lawrence (Baker & McKenzie) warning that the US Patriot Act can be used to access data handled by cloud service providers owned by or affiliated with US companies, meaning US authorities might assert rights to offshore-held data.
Investors should monitor how insurers close the coverage gap for cloud risks, the emergence of specialised providers (like Lockton partnerships and CloudInsure), and legal/regulatory issues such as data sovereignty and cross‑jurisdictional access (including implications of laws like the US Patriot Act). These developments can affect cloud service providers, insurers and customers alike.
Call 1300 880 160
Start a chat
Schedule a call
