Some companies assume that the provider of cloud storage will be responsible for any cyber-attack that permits entry to the cloud-stored information. Unfortunately, using a third party’s cloud storage does not necessarily mean that the cloud storage provider will be responsible for a security breach. In most cases, the party that first receives that information is the one upon whom the legal obligation will rest. (There are exceptions to this rule, but the exceptions mostly expand the legal obligation, they don’t transfer it.)
In this cyber age, any person that reads the news is likely aware of cyber risks to companies storing data in the cloud. There are an unfortunate number of stories of companies paying millions of dollars due to the unauthorized access of information by hackers invading online cloud storage. Along with the growth of the use of cloud storage, the risk of cyber-attack has grown too. Cyber-attacks can have huge impacts on a company’s reputation, revenue, and even viability.
When you are thinking about the level of cyber risk your company has, you should consider how much of its information is held in the cyber world. For some companies, only limited amounts of non-confidential data is maintained on the cloud. For others, employee information, payroll processing, customer’s identifiable information, payment processing, and other important and private information is stored on the cloud. The more data you store (especially personally identifiable and/or financial information) in the cloud the more costly a cyber-attack stealing the data is likely to be.
A cyber-attack can have a significant and lasting economic effect on the company. Information being compromised can impact the company’s customer’s willingness to continue patronizing the company. It can also cause immediate economic impacts if information related to bank accounts or other funds is stolen. Data breaches can also cause notification requirements to be triggered, as the vast majority of states have enacted laws that require companies experiencing a data breach to make individuals whose information has been compromised aware of the breach. Even just complying with these notification procedures can be costly.
So what is a company to do? One potential way to limit cyber risks and prepare for the potential exposure of a breach is to obtain cyber insurance. Cyber insurance will cover expenses incurred due to a breach of the company’s cloud storage. The cyber policy your company selects should fit with the cyber threats it faces. The amount of insurance coverage a company needs will vary based on the type and amount of data you have stored.
Another way to reduce your liability (even if you choose to carry your own cyber insurance policy), is to find a cloud storage provider that also has its own cyber insurance policy that covers cloud storage users. This policy can help cover any deductibles or cover the amount of damages that your own policy falls short of covering. In addition, when negotiating with your cloud storage provider (prior to becoming a customer), you may negotiate to have them indemnify you for security breaches.
The cyber insurance needs of a company will continue to evolve as technology continues to change and as more and more information is stored on the cloud. Even after purchasing cyber insurance, it is worthwhile for a company to review its policy every one to two years to ensure the policy provides coverage for the current threats it faces.