By Shawn Dougherty and Bryan Flores, VeriskInsurance Solutions Group

Information technology professionals have recommended backing upfiles to protect information against hard drive crashes or stolenequipment since the integration of computers into the businessworld. Over the last three decades, data storage has evolved fromfloppy disks that held 1.44 megabytes of information to externalstorage capable of storing millions of megabytes (or, moreconcisely, multiple terabytes) of information.

Over the last few years, having enough storage space has becomeless of an issue, and the focus has shifted to accessibility. Thenewest tool to store data is the cloud, which gives users access tolarge amounts of storage space and makes that data available fromany location and on many different devices. But although it haschanged how countless professionals do business by being accessiblefrom anywhere with an Internet connection, the cloud presents a newwave of cybercrime and hacking risks that businesses and theiremployees must protect against.

The concept of the cloud dates back to the 1950s, when apractice evolved that allowed multiple users of large and costlymainframes to share both physical access to the computer frommultiple terminals as well as the CPU, or process time. Thateliminated periods of inactivity on the mainframe and allowed for agreater return on investment. Today, a businesses can choose todeploy:

• A private cloud that it or a service provider owns
• A public cloud owned by a service provider
• A community cloud to be shared by multiple organizations,or
• A hybrid cloud that combines the former three options in someway.

Regardless of configuration, increased productivity is one ofthe most tangible benefits of the cloud. In a May 2013 ForbesInsight survey of more than 500 executives, 64 percent ofrespondents said that cloud-based collaboration tools translateinto shorter time to market, quicker product upgrade cycles, andfaster responses to competitive challenges. Companies also citedportable access to files, decreased expense, and greaterscalability as advantages to using cloud services.

How the Cloud Can Work Against Business

With those benefits, why do some businesses still resistintegration into the cloud? The biggest concern is the impact thecloud has on a company's security. With the ability to accessanything from anywhere, a business's data can be more vulnerable toattacks. Cybercriminals are hard at work attempting to access datathat now exists online, which previously only existed on a networkaccessible exclusively from firm offices. The logic mirrors theurban legend about 20^th century bank robber WillieSutton, who said he robbed banks because “that's where the moneyis.” Cloud providers store data for many companies and individualconsumers, making them a richer target.

The threat of exfiltration of corporate data by disgruntledemployees is potentially even more worrisome. Freely availablecloud storage tools make it possible for employees to remove anydata from secured corporate networks that they may have access toand store it for retrieval on their personal devices.

Nearly three in four respondents in an IDC IT Cloud ServicesUser Survey cited security as a concern for cloud adoption, makingit the top concern. But although the consequences of a network oronline data breach may keep executives up at night, thelikelihood of a breach with information stored at a cloudprovider may be a greater cause of concern.

Security concerns are generally more obvious in the cloud andinclude unauthorized access to sensitive data, potential lack ofencryption both in transit and at rest, and the increased chance ofthe loss of data. What is typically less considered by cloudstorage users is the effect on data privacy. Contracts, data type,or the law may limit the use of third-party cloud storage providersto store information. Many regulations impact data storagedepending on where the data originated and that strictly definewhere and how data may be stored.

Regardless of the service delivery model used by the cloudprovider—for example, software as a service (SaaS), platform as aservice (PaaS), infrastructure as a service (IaaS), or evenmonitoring as a service (MaaS), communication as a service (CaaS),and anything as a service (XaaS)— the security responsibility canvary between the service provider and the customer.

And whether data is stored on a corporate network or the cloud,the impact a breach can have on a company extends from reputationissues to lost revenue and even legal action. Depending on the sizeand extent of a data breach, the data breach notification andnetwork forensics costs alone can quickly escalate into hundreds ofthousands of dollars or more.

Protecting Against Cloud-Based Risks

The 451 Research group, a global analyst and data companyfocused on enterprise IT innovation, projects that enterprise cloudcomputing will continue to grow 36% through 2016.

Although it seems as if many cloud providers rushed to market inspite of the risks associated with cyber security, the maturationof the market means many providers are now touting security as afeature. This helps ensure the encryption and protection fromunauthorized access of data stored in the cloud.

Businesses considering cloud-based services should examine andunderstand the storage provider's systems, policies, andprocedures, and to take their own existing contracts, regulations,and other risks into account. Corporate risk appetites differ, butwith proper security and privacy controls in place, it's possibleto minimize the potential threats. Securing data in the cloud needsto be the top priority for both the provider and the consumer(whether a business or individual) of the cloud.

Businesses using cloud service providers for data storage shouldrecognize that it may increase the potential for loss. For example,a business that has data stored in multiple locations on one ormore servers could increase risk by centralizing that data into onelocation. Likewise, a business may face a greater potential loss ofcontrol of sensitive data—personally identifiable information(PII), protected health information (PHI) or its own corporateintellectual property—if it chooses to store the data in the cloud

Regardless of security, businesses today must operate with themindset that a breach will happen and protect their financial andreputational interests through a cyber insurance policy. Thepolicies generally provide first- and third-party coverage fordata-breach-related exposures, which can include expenses incurredto notify affected parties of the breach and the cost to restore abusiness's reputation, in addition to addressing potentialliability for a data breach. Coverage for forensic investigation,notification costs, and expenses incurred to hire public relationsfirms, establish call centers, and implement credit monitoringservices commonly fall under cyber insurance policies. Whenunauthorized access to PII and/or PHI engenders regulatory finesand penalties, cyber insurance policies generally cover defensecosts for regulatory proceedings. Some policies also extendcoverage to assessed fines and penalties.

Cyber liability insurance presents a tremendous growthopportunity for insurance agents. To date, the take-up rate ofcyber insurance has been relatively modest, with less than a thirdof businesses having purchased some form of cyber coverage. Theyear ahead may well prove to be the tipping point for recognizingthe need for and purchasing insurance to address cyber-relatedexposures, including those exposures resulting from the use ofcloud computing.

The cloud is a growing technology that evolves every day. Whileit can deliver significant bottom line benefits for many companies,growing cyber theft concerns require commensurate action.Businesses must implement appropriate tools and processes toprevent security and privacy breaches and choose a cyber insurancepolicy to protect themselves should a breach still occur.