Cloud Computing Exposures

The Gap in the Clouds

Cloud computing may be virtual, but the facilities behind it represent a property exposure.
By: | February 18, 2014 • 8 min read

Cloud computing is integral to modern business. According to market research firm Gartner, the global cloud service industry will be worth $180 billion by 2015, while cloudhypermarket.com estimated a third of all IT expenditures in 2013 would be on cloud computing.

The cloud network is maintained by nearly 35,000 data centers (cloud service facilities containing physical servers), about 25,000 of which are located in the United States. These facilities are extremely well protected, employing the very best physical and cyber security systems, and are usually located in secretive locations away from obvious natural perils.

Advertisement




However, these facilities still require traditional property coverage to insure against risks including flood, fire, storm, earthquake, sabotage, civil commotion and terrorism. If one or more major cloud service facilities were damaged, service could be disrupted and data lost, with far-reaching economic implications for businesses that rely on the service.

Last year, Superstorm Sandy shut down data centers in Manhattan, while Amazon suffered two separate power outages at its Northern Virginia cloud facility forcing many popular websites including Netflix, Instagram and Pinterest offline. But it’s not just media outlets that suffer — thousands of businesses are now actively using the cloud for business purposes, with basic data storage only accounting for 13 percent of cloud usage, according to research firm IDC.

Despite growing reliance on the cloud, Florence Levy, senior vice president and head of Lockton’s Global Technology and Privacy Practice, believes there is a gap in the insurance market that could leave cloud users uninsured for lost data or business interruption in the event of a physical event damaging a cloud facility.

“Traditionally, property policies address physical triggers and harm, while cyber and even errors and omissions policies are intended to address non-physical triggers and economic damage,” she said. “In the event of a physical trigger causing non-physical harm, property underwriters and cyber underwriters will be left pointing fingers at each other.”

According to Jim Charron, Technology Practice leader for Zurich, it is possible to insure data under a property policy, although coverage language often doesn’t capture the entire exposure. “Some [policies] are very clear that they cover computing resources and will specifically state that the coverage includes voice, data and even video, while others are not,” he said. “There are requests for this exposure to be covered and underwriters are responding, but the wording isn’t always reflective of the exposures.”

Charron added that underwriting becomes even more complicated when data is being held by a third-party on behalf of potentially millions of clients.

“Traditional property and business interruption risks already existed for insureds who maintained their computing resources within their own buildings, but with the use of the cloud those risks are subject to equipment not owned by the insured. Once the risk has been transferred to another party the insurance needs to change along with that,” he said. “I think there is an opportunity for insurers to refresh their approach.”

“People are starting to realize this may be a bigger issue than we had previously allotted for in the last couple of years. Savvy clients are asking a lot of questions,” said Levy, adding that brokers are trying to encourage insurers to develop enhanced coverage to ensure cloud users’ data is properly insured.

“The market is trying to figure out a way to address this, whether it is some sort of ‘difference in conditions’ policy that sits above the property and cyber policies, or more collaboration between the property and cyber underwriters and brokers to come up with a more effective solution,” she said.

Levy admitted, however, that creating some kind of hybrid product would be very challenging for insurers. “Cyber and property are two very different coverages with different profitability standards and historical data sets. The most likely solution is an umbrella or difference in conditions policy rather than stretching either set of underwriters beyond their comfort zone,” she said.

Another major challenge is aggregation of risk, with tens of thousands of businesses potentially facing disruption if any of the leading cloud providers went down.

“What is the aggregated business interruption and property damage exposure of one or several of these facilities if they were attacked all at once or there was a large weather event?” asked Charron. “If a major facility is taken down it could have a dramatic impact on the insurance industry.”

R2-14p94-96_09Cloud.indd

“If one cloud provider went down, how many end users would it affect?” pondered Levy. “The danger is yet to be determined, but some carriers are now tracking this information. Once they reach what they perceive to be their maximum aggregate exposure in terms of users using the same cloud provider or number or cloud providers, they may stop providing insurance.”

When in Doubt, Sue

Cloud users may have another form of protection. Robert Parisi, Network Security and Privacy Practice leader at Marsh, who places E&O and professional liability (PL) risks for cloud service providers, believes providers are vulnerable to PL claims, even if interruption or loss of data was caused by a physical risk rather than negligence.

Bob Parisi, Network Security and Privacy Practice leader, Marsh

Bob Parisi,
Network Security and Privacy Practice leader, Marsh

“I don’t think there are gaps in coverage. If a cloud provider is unable to provide their service, it is going to come back at them as a PL claim. The end user is not going to care one whit why the cloud provider wasn’t there when they needed them — they just know they have a contract and the provider didn’t honor it,” he said.

Accordingly, cloud providers have to ensure their E&O and PL policy wordings are airtight in their response to ‘act of God’ type risks or even deliberate physical sabotage and terrorism risks.

“From an end user’s perspective, the principal recovery vehicle is going to be that PL policy, so the cloud providers and their brokers need to look under the hood of their policies,” said Parisi. “The market has evolved and is getting better at providing solutions, and the coverage is fairly broad. It is up to the broker to be aware those solutions exist and stitch them together for [the cloud provider].”

Parisi said PL claims against cloud providers are common, particularly in the litigious United States where cloud users also have very high expectations — anything less than 24-hour service at optimal speed could result in a PL claim, particularly from users whose businesses rely on real-time data feeds, he said.

Advertisement




“Tech companies are regularly sued for failing to provide service or failing to render the service non-negligently. Tech is not perfect, and when it goes wrong, usually the first thing a client of a tech company is going to do is assume the tech provider must have done something wrong,” he said.

“Not only is the cloud provider going to be held to rendering the service and having the service functioning as intended, there is also an element of latency risk; clients want their service working now, on demand, and without any delays.”

In order for the cloud providers to ensure they get adequate coverage against such claims, they must demonstrate high levels of risk management including building redundancies into their systems so that if one facility is damaged, the data can be switched rapidly to another network or facility without being lost.

“One of the large tech companies runs an entirely parallel network right next to their production network so if anything happens they can switch their customers from the day-to-day network to the parallel redundant network in the blink of an eye,” said Parisi.

“That’s an extreme example – most providers don’t have a parallel network. But if they are going to guarantee 100 percent up-time they need to make sure they have the facilities that can do that — and if that means geographically separating their data centers then that is what must be done.”

When it comes to liability for data loss or service downtime, much hinges on the service level agreement between the two parties.

“This agreement defines what level of liability the provider assumes. In that contracting process the provider can say they will deliver their service but there are things outside of their control, and if those things prevent the service the user will have to live with that,” said Parisi. “That won’t always necessarily fly in the negotiation process — in which case the provider may put liquidated damages or limitations of liability clauses with pre-agreed settlements or caps on liability into the contract.”

Parisi added that one of the best things a cloud provider can do to limit their liability is to manage the expectations of the cloud user.

“The quickest way for someone to think the provider did something wrong is for the provider to overpromise,” he said, noting that startup cloud providers are most susceptible to this as they aggressively compete for business.

Ultimately, though, cloud users must take responsibility for their own data — particularly if it is critical to their business. “Cloud users should take it as incumbent upon them as part of their risk management policy to ensure they have their data backed up, and most of them probably do,” said Zurich’s Charron. “The rub is if they are creating new data all the time and there is value in the creation of this new data being generated. Identifying whether data is confidential or mission-critical can help the user understand how often they should back up their data.”

Parisi said cloud use should be treated with the same common sense as any other enterprise risk.

“If you’re relying solely on a third party for the sanctity and security of your data, you are probably making a lot of other mistakes in your business,” he said.

R2-14p94-96_09Cloud.indd

 

Antony Ireland is a London-based financial journalist. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Absence Management

Establishing Balance With Volunteers

It’s good business to allow job-leave for volunteer emergency responders, whether or not state laws apply.
By: | January 10, 2018 • 7 min read

If 2017 had a moniker, it might be “the year of the natural disasters,” thanks to a phenomenal array of catastrophic or severe events— hurricanes, tornadoes, wildfires, ice storms and floods.

Advertisement




Combined with smaller-scale fires and other emergencies, these incidents tax the resources of local and state emergency services, often prompting the need to call volunteer emergency responders into action.

But as lean as most organizations are already running, volunteer activities can sometimes cause friction between employees and employers. Handling conflicts the wrong way can potentially lead to legal headaches, harm employee morale and batter a company’s reputation.

State by State Variations

Most employers are aware of the various federal and state leave laws protecting their employees, including family and medical leave, pregnancy leave and military leave. But leave laws that protect the livelihoods of volunteer emergency responders are more likely to fly under the radar of some HR managers and risk managers.

Such laws don’t exist in every state, but more than 20 states do have some type of law in place to protect volunteers including emergency responders, firefighters, disaster workers, medical responders, ambulance drivers or peace officers.

Marti Cardi, vice president of Product Compliance for Matrix Absence Management

The laws vary broadly. Nearly all specify that such leave be unpaid, and that employees disclose their volunteer status to employers and provide documentation for each leave. But there is a spectrum of variations in terms of what may trigger an eligible leave. Some, for instance, apply for any emergency that prompts a call from the volunteer’s affiliated responder group. Others may require a government declaration of emergency for the law to be triggered.

While many of the laws do not explicitly require employers to let employees leave work when called to an emergency during a shift, most specify that an employee may be late or even miss work entirely without facing termination or any other adverse employment action.

Some states mandate a maximum number of unpaid leave days that a volunteer can claim. But others may place more significant burdens on employers. In California, for instance, employers with 50 or more employees are required to grant up to 14 days of unpaid leave for training activities in addition to any leave taken to respond to emergency events. For multistate employers, keeping on top of what obligations may apply in each circumstance can be a challenge.

Significant Risks

Large or mid-sized employers may rely on absence management providers to keep them in compliance. For smaller employers though, it may be as simple as looking up a state’s law via Google to find out what’s required. However, checking in with the state department of labor or the company’s attorney may be the best way to get the correct facts.

“I would caution that just because you don’t find something [on the internet], it doesn’t mean it’s not there,” said absence management and employment law attorney Marti Cardi, vice president of Product Compliance for Matrix Absence Management.

For example, Cardi said, an obscure Texas law provides job-protected leave for volunteer ham radio operators called into service during an emergency.

Cardi said employers should task HR to investigate the laws in each state the company operates in, and to ensure that supervisors are educated about the existence of these laws.

“If a supervisor is told by one of his or her employees, ‘Sorry I’m not coming in today … I’ve been called to volunteer firefighter duty for the [nearby region] fire,’” she said, you want to be sure that the supervisor knows not to take action against the employee, and to contact HR for guidance.

“Training supervisors to be aware of this kind of absence is really important.”

Advertisement




An employer that does terminate a protected volunteer for responding to an emergency may be ordered to pay back wages and reinstate the employee. In some cases, the employee may also be able to sue for wrongful termination.

And of course, “you don’t want to be the company in the headlines that is getting sued because you fired the volunteer firefighter,” she added.

If an employer bars a volunteer from responding, the worst-case scenario may be a third-party claim. Failure to comply with the law could give rise to a claim along the lines of “‘If you had complied with your statutory obligation to give Jane Doe time to respond, my loved one would not have died,’” explained Philadelphia-based Jonathan Segal, partner at law firm Duane Morris and managing principal of the Duane Morris Institute.

“That’s the claim I think is the largest in terms of legal risk.”

Even if no one dies or is seriously injured, he added, “there could still be significant reputational risk if an individual were to go to the media and say, ‘Look, I got called by the fire department and I wasn’t allowed to go.’”

The Right Thing to Do

What employers should be thinking about, Segal said, is that whether or not you have a legal obligation to provide job-protected leave for volunteer responders, “there’s still the question of what are the consequences if you don’t?”

Employee morale should be factored in, he said. The last thing any company wants is for employees to perceive it as insensitive to their interests or the interests of the community at large.

“Sometimes employers need to go beyond the law, and this is one of those times,” — Jonathan Segal, partner, Duane Morris; managing principal, Duane Morris Institute

“How is this going to resonate with my employees, with my workforce, how are people going to see this? These are all relevant factors to consider,” he said.

There’s an argument to be made for employers to look at the bigger picture when it comes to any volunteer responders on their payroll, said Segal.

“Sometimes employers need to go beyond the law, and this is one of those times,” he said. “Think about the case where’s there’s not a specific state law [for emergency responders] and you say to a volunteer, ‘No, you can’t leave to deal with this fire’ and then people die. You as an employer have potentially played a role, indirectly, because you didn’t allow the first responder or responders to go,” he said.

The bottom line is that “it’s the right thing to do, even if it’s not required by law,” agreed Cardi.

“I feel that companies should have a policy that they’re not going to discipline or discharge someone for absences due to this kind of civic service, subject to verification of course.”

Clear Policy

While most employers do strive to be good corporate citizens, it goes without question that employers need to guard their own interests. It’s not especially likely that volunteer responders will try to take advantage of the unpaid leave allowed them, but of course, it could happen.

That’s why it’s important to have policies that are aligned with state laws. Those policies could include:

  • Notifying the company of any volunteer affiliations either upon hire or as soon they are activated as volunteers.
  • Requiring that employees notify a supervisor as soon as possible if called to an emergency (state requirements vary).
  • Requiring documentation after the event from the head of the entity supervising the volunteer’s activities.

If at some point it becomes excessive – someone has responded to emergencies five times in nine weeks, then it’s time to examine the specifics of the law and have a discussion with the employee about what’s reasonable, said Segal. It may also be time to ask specifics about whether the person is volunteering each time, or are they being called.

Advertisement




In some cases, the discussion may need to be about finding a middle ground, especially if an employee has taken on an excessively demanding volunteer role.

“We encourage volunteers to pick the style that best fits their schedule,” said Greta Gustafson, a representative of the American Red Cross. “Disaster volunteers can elect to respond to disasters locally, nationally, or even virtually, and each assignment varies in length — from responding overnight to a home fire in your community to deploying across the country for several weeks following a hurricane.

“The Red Cross encourages all volunteers to talk with their employers to determine their availability and to communicate this with their local Red Cross chapter.”

Segal suggests approaching it as an interactive dialogue — borrowing from the ADA. “Employers may need to open a discussion along the lines of ‘I need you here this week because this week we have a deliverable on Friday and you’re critical to that client deliverable,’” he said, but also identify when the employee’s absence would be less critical.

No doubt there will be tough calls. An employer may have its hands full just trying to meet basic customer needs and need all hands on deck.

“That may be a situation where you say, ‘First let me check the law,’” said Segal. If there’s a leave law that applies, “then I’m going to need to comply with it. If there’s not, then you may need to balance competing interests and say, ‘We need you here.’” &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]