CloudInsure has prepared to launch its platform for cloud-risk assessment, allowing cloud service providers to upsell insurance, while ensuring that underwriters like Liberty International Underwriters fully understand the risks they are taking on.
The 451 Take
One of the biggest objections to cloud computing is the risk of security breaches or downtime. Of course, these risks existed before the cloud, but the centralization of IT resources means that when there is an issue, more users are likely to be impacted and the lack of control means it may be more difficult to resolve. Is the risk worse now, using the cloud, compared to hosting an application on an unpatched, on-premises dedicated server? That is a debate for another time.
But no matter how far technology comes, there will always be the risk of a breach or downtime; it's the price that we, as end users, pay for convenience. Cloud insurance means that if this ever-decreasing risk takes place (which, over time frames that are long enough, is certain), it will not destroy the organization. Risk cannot be removed, it can only be managed – in the IT sector, it is critically important that shareholders, CxOs and end users understand this is the case, and make plans. Cloud insurance is an important component of any business-led IT strategy.
CloudInsure believes the time has come for applications running on the cloud to be insured against business losses. Its role is to act as an insurance-program administrator, providing a SaaS platform for the collection and analysis of underwriting information that can be used by insurers to rate the insurability of cloud applications, and thereby determine a suitable premium. The company has recently arranged capacity commitments with Liberty International (a subsidiary of Liberty Mutual) for use of the platform. It is also in discussions with other insurance companies, although these are not likely to result in formal contracts soon.
Founded in 2010, New York-based CloudInsure is owned by Cyber Risk Partners, which also owns CyberFactors, a cyber-risk analytics database that models adverse technology events and their consequences. CyberFactors already has a number of major customers including the World Economic Forum, Guy Carpenter and Lockton. CloudInsure has yet to be fully launched; this is due to happen in early 2014. CyberRiskPartners remains self-funded, but is seeking capital alternatives.
The company aims to insure two types of corporate risk. First, the liability arising as the result of a privacy breach, and second, the losses incurred as a result of business interruption. Coverage is typically up to $500,000. The costs of forensics, remediation, crisis management and legal liability will usually be included in policies obtained via CloudInsure. Cloud insurance policies will typically be sold by cloud service providers to their customers as an additional fixed charge, most likely to SMBs that will have data-risk exposure. CloudInsure will take a percentage of the gross rate of sales of cloud insurance from the insurance premium, and a management fee from each cloud service provider.
The company sees an opportunity in an insurance market that is already experiencing squeezed margins. It's hoping to capitalize on this by opening up a new market to insurance companies, where additional margin can be added. Increasingly, insurance providers are looking to diversify. CloudInsure sees its platform as a good way to address consumers' concerns about using the cloud, and as a way to reduce sales cycles by removing SLA negotiations.
The platform also provides a differentiator to cloud service providers, which will receive a small commission for selling the service from the underwriters, but it is not likely to be led by a sales team. The product is intended to add a differentiator to a provider's product set, rather than generate large revenue in its own right.
CloudInsure is in talks with a handful of cloud service providers, but really wishes to work with just a couple in 2014, to avoid taking on too much. It still only has 10 staff. It sees sector-specific cloud providers working in regulated industries such as healthcare or finance as the best partners to connect with. It is currently US-focused, but has been in talks with cloud providers in both the US and the EU. Initially, the company will focus on insuring risk on single providers, but will look at multi-cloud deployments in the future.
CloudInsure provides a SaaS platform that performs an analysis of risk liability on both the cloud service provider's risk profile and the individual's. An online questionnaire of 60 questions captures the information needed to assess the provider's and the consumer's risk profile, which is used in conjunction with the CyberFactors risk database to give a rating for the consumer through a Rating Engine. The CyberFactors platform is able to predict cloud legal and financial losses resulting from an issue, and predict how many policies will be affected by a loss.
The information on the cloud service provider's architecture allows the assessment of risk without full public disclosure of internal architecture and processes. The assessment of an individual consumer's risk profile can also be used to ensure risk separation between consumers. CloudInsure is then able to generate a quote based on both the provider's risk profile and the consumer's risk profile. If the consumer decides to purchase the policy following a quote, this is done directly between the insurer and consumer. Eventually, the SaaS platform will allow consumers to extend their policies and integrate their own infrastructure, even leading to multi-cloud deployments.
Factors that may impact the rating include the amount of data in the cloud, redundancy, regulatory certifications and geographical location. Typically, the service levels specified in the policy are the same as those offered by the cloud service provider. The company hopes to avoid the issue of aggregation (where a single outage could trigger many claims), due to the resilient nature of cloud services. It hopes that cloud providers that offer solutions with no single point of failure, and zoned security or availability zones, are less likely to suffer such aggregation issues. Furthermore, the rating engine will determine the likely expense of such a single failure, and will adjust premiums to offset this risk.
CloudInsure is unique in providing the capability to assess cloud risk, such that insurers can balance competitive but profitable premiums against correctly assessed risk. The market for cyber-insurance, which covers liability associated with information security, includes big-name insurers such as AIG, Lockton, QBE, ACE Group, AON plc, AEGIS, Liberty, Hiscox, Allianz and Chubb.
It has experience in insurance, the technology and the support of a major insurer. Insurers and their partners rely on their reputations for business. Without case studies, how can consumers be confident its premiums will be money well spent in the event of a claim?
Never before has IT mattered so much to organizations, but no matter how well built and secured, there will always be risk. Insurance can mean that should this small chance become reality, the entire organization isn't open to financial ruin.