Stuart Corner| Theage
Cloud computing presents businesses with a new set of risks the insurance sector is finding hard to comprehend. Data sovereignty, security, migration and risk mitigation are some of the issues insurers must quickly grasp as more organisations take on the cloud and get ahead of what little cloud cover exists.
Eric Lowenstein, client manager, financial services group of Aon, Sydney, said there was a big gap between what conventional insurance offered and the risks presented by cloud computing.
‘‘There is a broad range of cover options available but these have problems. What are the geographical exclusions in regard to data sent offshore? And there are uncertainties about the definition of networks. Do they include devices like iPads, laptops, etc?’’ he said.
Lowenstein said the cloud posed risks to many stakeholders. ‘‘All stakeholders in the business need to be engaged: IT, marketing legal, communication, as well as the CFO and CEO. This is a new kind of exposure that a lot of entities are taking notice.’’
In the US there is already the beginnings of a cloud computing insurance industry. In April the MSPAlliance, an association of cloud service providers, announced a partnership with insurance broker Lockton to ‘‘offer comprehensive protection for cloud and managed service providers worldwide’’. But this provides risk mitigation for cloud service providers, not for their customers. Lockton is expanding its activities to Australia
Insurance cover for enterprise users is available from another US-based organisation, CloudInsure, which also has partnered with Lockton. CloudInsure promises to provide indemnity assurance to cloud service providers and enterprises in support of service level agreements, and financial protection for customers ‘‘commensurate with their data risk within the cloud’’.
Paula Eggers, senior associate at Lockton in Australia, said the company’s cyber risk activities would be available here. ‘‘Lockton in the UK and Asia have just resourced up around cyber risk and that will be rolled out to Australia,’’ she said.
David Vaile, from the Cyberspace Law and Policy Centre at the University of NSW, said there was a big risk associated with data stored offshore, because it was subject to the laws of the host country.
‘‘In the past the cloud has been seen as something just ‘out there’ – beyond jurisdiction. That is completely wrong. Rather than escaping from jurisdiction in the cloud, you are actually subject to many jurisdictions. And those jurisdictions might not be what you expect.’’
Adrian Lawrence, a partner with law firm Baker & McKenzie, warned that the US Patriot Act, which grants wide-ranging powers to US government agencies, could be applied outside the US to any cloud service provider that was owned by, or a subsidiary of, a US company.
“To the extent that a US corporation is involved in the storage of data offshore from the US, the US authorities will assert their right to access that data,” Mr Lawrence said.
Craig Scroggie, chief executive of listed data centre provider NEXTDC, said failure to fully address the legal and risk governance issues around data stored in cloud computing centres, especially offshore, created the potential for a disaster that, at a stroke, could undermine confidence in cloud computing built up over several years.
“Confidence is critical and it only takes one disaster to have organisations question the validity of cloud and the risks it involves,” Mr Scroggie said.