"Because of security and privacy issues, we are always cautious about the type of data we contemplate placing in the cloud," said Gustavo Diaz, senior vice president and business relationship manager at Marsh, where he is the leader of technology strategy. "That has somewhat handcuffed us in leveraging the cloud to the degree we would like to."

Make no mistake about it: Even as insurance accelerates into the cloud, data security remains a huge concern to insurers and producers of all sizes—far more than in most industries outside of financial services. 

"One of the things about insurance that is critically different from other industries is insurers' data is very PII rich—rich in personally identifiable information," according to Hemanshu "Hemu" Nigam, founder of cyber-security advisory firm SSP Blue. Nigam has served as a former U.S. Justice Department prosecutor specializing in cyber-crime and as head of online security for several global high-tech and media companies.

"What PII-rich means, from a hacker perspective, is it is high-value data," Nigam said. "They can get a better price on the black market, selling data to organized crime or other hackers. That's something insurance companies need to be critically aware of and critically ready for."

Nigam recommends a four-step cyber-security framework for insurance CIOs as they migrate into the cloud.

1. Classify and Prioritize Your Data 

"The first thing is to take the data you have and break it into high, medium, and low business impact," he said. "Classify and prioritize. Some of it is PII-rich––that is why it is so important to evaluate your data. High-impact data means a security breach will hurt your customers, your reputation, your business itself, and you might have to pay out claims."

2. Take Responsibility, Insist on Transparency 

"The second thing is to remember that when you give it to the cloud, going into the cloud is still a big shared responsibility between the cloud provider you give it to and the company that owns the data," Nigam said. "You should be asking lots of questions that are all centered around transparency. What are the security processes, the security certifications, the security vulnerability assessments—and are you allowed to audit them? If you have a vendor that is hesitant on transparency, that is a big red flag to walk away.

"From an insurance company perspective, the data you are giving is your responsibility, and it is important to secure it even before it gets to the cloud, through encryption," he said. "If hackers get my data, would they get gobbledygook, or are you going to give them high-value data? Encrypt your data before you send it to the cloud. Think of security in transit, from the local server inside a brick-and-mortar company. Is it going in an encrypted form, through a secure pipe? That's why it's a shared responsibility."

3. Know Where Your Data Is—and What's Next Door 

"The third area to raise when talking to a cloud provider: how is data separated from other customers they have? The more customers they have, the more money they make, meaning the more different types of data they are housing from different sources," Nigam said. "How will yours be physically separated from others' data? In the event of a disaster, what are they doing to make sure you have access? If a rack blows up, or if there's a major storm and power outage, do they have colocation facilities in other regions?

"For that matter, where in the world is the data stored? In China? The U.S.? Germany? Every country has different laws regarding storage and transfer of data, and your cloud provider should be aware of them and tell you as a customer what exactly they are doing to comply with local privacy laws."

4. Who Is Liable? Put It in the Contract 

"One last piece to keep in mind—insurance companies are amazingly good at contracts and contract negotiations," Nigam said. "So when you are negotiating with cloud providers, you should have specific language around how data security is handled, what happens in a breach, and who is liable in case of a breach. Liability all depends on the contract. Whenever there is a breach, someone has to investigate. It's easy to say, 'When you accessed the cloud, you left it open,' or 'You allowed a virus in that opened up a vulnerability,' so the contract should leave no room for dispute."

Leverage the Cloud— with an Insurer's Mindset 

Last year, only about 33% of insurers had core, high-business-impact data and systems in the cloud, according to Strategy Meets Action research. That is changing rapidly, however—44% of SMA's respondents said their 12-month plans include core services in the cloud. But thanks to security and privacy constraints, insurers' core systems and other PII-rich applications almost exclusively will be implemented via single-tenant or multi-tenant private cloud—or, more conservatively, by hybrid cloud models, whereby the cloud vendor manages it on the insurance firm's servers. 

As Mark Popolano, CIO for ProSight Specialty Insurance, explained, "We're insurers, we're risk managers. That's what we do for a living. That's why we use private cloud pretty much exclusively—we're protecting our assets and our customer base."