The past couple of years have seen cloud services move from the periphery of most businesses to the mainstream.

Drawn by the cost savings, agility and scalability that the cloud has to offer, companies have been migrating to the cloud en masse. A recent Harvard Business Review survey found 84 percent of companies had increased their reliance on the cloud in the past year.

At the core of this trend is a calculation by businesses that the benefits of the cloud outweigh the risks. Strange as it may sound, the benefits may outweigh the risks for the insurance industry, too. Of course, the type of risk insurers see in the cloud is different from most businesses, and has been a longstanding concern to underwriters. Even so, the cloud has enabled security capabilities that substantially lower risk in other areas — at least to the point that it merits another look.

|

The case against the cloud

Insurers have understood for a long time that they must manage aggregation of risk across the portfolio of products that they sell. Few places aggregate cyber risk as neatly as the cloud, and an unforeseen event that triggers multiple claims could spell bankruptcy, if not properly understood and managed.

Perhaps the best historical example of risk aggregation is asbestos. Liability litigation related to asbestos injuries and property damages has been claimed to be the longest-running mass tort in U.S. history, and is estimated to have cost the insurance industry $85 billion to date, according to A.M. Best Co.

Hacker in hoodie with face mask in cloud

Photo: iStock

|

Interconnectedness poses new challenge

Cyber risk aggregation presents a new challenge to insurers that, if not carefully managed, has the potential to cause losses that could eventually rival the asbestos claims. Why? In one word: "interconnectedness." There are few parallels to the interconnectedness of computer networks anywhere else in the insurance industry.

Perhaps the closest is geography in certain types of property coverage, inasmuch as a natural disaster that occurs in a specific location affects all properties in that area. But property insurers are able to use geography as a component of their risk model. They know the frequency with which hurricanes or earthquakes tend to hit certain locations and can adjust the risk that they assume accordingly.

The cyber domain is not nearly so predictable, and losses can occur anywhere. Although a property insurer can avoid insuring every home in a single geographic locale, it's much harder to avoid insuring multiple companies that all rely on the same cloud provider.

Surprising as it may sound, insurers today still have very low visibility and understanding of their policyholders' third-party relationships. Even more challenging are the fourth- and fifth-party relationships and knowing who subcontracts to whom. In practice what this means is that a cyber attack on one cloud provider could trigger multiple unforeseen policyholder claims.

Even if the insurer can begin to identify the percentage of policyholders that use specific third parties there is another problem. The insurer's contractual relationship is with the policyholder and not with the cloud provider. As a consequence, understanding the maturity of controls of any third-party vendor is difficult, and typically it is only the contractual relationship that an underwriter can scrutinize.

Hands around a table holding a cloud cut-out

|

Cloud-based loss prevention

The maturation of cloud services has also paved the way for cloud-based security that can actually reduce the overall risk in insurers' portfolios. While interconnectivity has long driven aggregation of risk, it has only recently begun to provide a clearer picture of the risk landscape.

Security services have begun to use the cloud to collect and pool information from every server and workstation that runs their security software. The result is a real-time picture of the threat landscape across hundreds of thousands of systems. 

The obvious benefit of this approach is that if a successful attack occurs on one network, the service provider can identify the attacker's tools and methods and protect all other subscribers from the same attack. This gets right to the heart of another source of risk correlation for insurers: The potential for a flaw in a common piece of software to result in claims from multiple insureds.

Cloud-based security tools reduce this risk, identifying and blocking methods for exploiting new software vulnerabilities as quickly as they emerge — and in far less time than it takes for developers to release a patch and companies to install it.

There are two less-obvious ways in which cloud-based security tools provide a leg up in loss prevention. One has to do with the massive amount of security-related metadata that they collect. Pooling this data allows for anomaly detection and real-time behavioral analysis that can identify and stop zero-day attacks the first time they are deployed.

The other involves disrupting attackers' own research and development efforts. Well-funded nation states and criminal organizations use test labs where they install all the latest security tools and experiment with different methods for defeating them. When these groups install a cloud-based tool in their lab, it gives the security provider the opportunity to observe these tests and develop the means to block new attacks before they're ever released into the wild.

Data cloud between servers

Photo: iStock

|

Cloud-accelerated response

While the interconnectedness of the cloud can help prevent losses from occurring, the agility of the cloud can limit the size of losses that do occur. Insurers have long recognized the value of professional incident responders in reducing the overall impact of a breach, and that value rises considerably when responders have cloud-based tools at their disposal.

It all comes down to speed. Cloud-based platforms can quickly deploy forensic software and collect information about an attack in a matter of hours — often before the responders even arrive on the ground. With traditional methods, this process can take days or even weeks. When coupled with advanced monitoring software, the cloud-based approach can shorten the total time to remediation from months to weeks.

Conventional wisdom holds that responding to a breach will require consultants on the ground for long periods of time. The cloud-based response model turns that paradigm on its head. Swift remediation not only reduces an attacker's "dwell time," shortening the window of opportunity to steal data, but it also reduces what companies spend on consulting fees.

|

Cloud-based tools may outweigh risk

None of this eliminates the longstanding concerns about reliance on the cloud; a successful attack on a major cloud provider could still result in wide-ranging losses. But cloud providers have become more numerous, more secure, and more resilient as they have matured, decreasing the likelihood of that scenario.

At the same time, the cloud has enabled a new breed of security solutions that have the ability to lower risk across the ecosystem. Cloud-based security tools are no silver bullet, but they do offer considerable advantages over traditional approaches, so much so that the benefit of cloud-based tools could begin to outweigh the risk of relying on the cloud itself. After all the fears underwriters have had about the cloud, it may prove more of a boon than a bugbear.

Ben Beeson is senior vice president and cyber risk practice leader for Kansas City-based Lockton Cos. Email him at [email protected].

Eben Kaplan is a consultant with Crowdstrike, a cybersecurity technology company based in Irvine, Calif. Email him at [email protected].

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.