"Because of security and privacy issues, we are always cautiousabout the type of data we contemplate placing in the cloud," saidGustavo Diaz, senior vice president and business relationshipmanager at Marsh, where he is the leader of technology strategy."That has somewhat handcuffed us in leveraging the cloud to thedegree we would like to."

Make no mistake about it: Even as insurance accelerates into thecloud, data security remains a huge concern to insurers andproducers of all sizes—far more than in most industries outside offinancial services. 

"One of the things about insurance that is critically differentfrom other industries is insurers' data is very PII rich—rich inpersonally identifiable information," according to Hemanshu "Hemu"Nigam, founder of cyber-security advisory firm SSP Blue. Nigam hasserved as a former U.S. Justice Department prosecutor specializingin cyber-crime and as head of online security for several globalhigh-tech and media companies.

"What PII-rich means, from a hacker perspective, is it ishigh-value data," Nigam said. "They can get a better price on theblack market, selling data to organized crime or other hackers.That's something insurance companies need to be critically aware ofand critically ready for."

Nigam recommends a four-step cyber-security framework forinsurance CIOs as they migrate into the cloud.

1. Classify and Prioritize YourData 

"The first thing is to take the data you have and break it intohigh, medium, and low business impact," he said. "Classify andprioritize. Some of it is PII-rich––that is why it is so importantto evaluate your data. High-impact data means a security breachwill hurt your customers, your reputation, your business itself,and you might have to pay out claims."

2. Take Responsibility, Insist onTransparency 

"The second thing is to remember that when you give it to thecloud, going into the cloud is still a big shared responsibilitybetween the cloud provider you give it to and the company that ownsthe data," Nigam said. "You should be asking lots of questions thatare all centered around transparency. What are the securityprocesses, the security certifications, the security vulnerabilityassessments—and are you allowed to audit them? If you have a vendorthat is hesitant on transparency, that is a big red flag to walkaway.

"From an insurance company perspective, the data you are givingis your responsibility, and it is important to secure it evenbefore it gets to the cloud, through encryption," he said. "Ifhackers get my data, would they get gobbledygook, or are you goingto give them high-value data? Encrypt your data before you send itto the cloud. Think of security in transit, from the local serverinside a brick-and-mortar company. Is it going in an encryptedform, through a secure pipe? That's why it's a sharedresponsibility."

3. Know Where Your Data Is—and What's NextDoor 

"The third area to raise when talking to a cloud provider: howis data separated from other customers they have? The morecustomers they have, the more money they make, meaning the moredifferent types of data they are housing from different sources,"Nigam said. "How will yours be physically separated from others'data? In the event of a disaster, what are they doing to make sureyou have access? If a rack blows up, or if there's a major stormand power outage, do they have colocation facilities in otherregions?

"For that matter, where in the world is the data stored? InChina? The U.S.? Germany? Every country has different lawsregarding storage and transfer of data, and your cloud providershould be aware of them and tell you as a customer what exactlythey are doing to comply with local privacy laws."

4. Who Is Liable? Put It in theContract 

"One last piece to keep in mind—insurance companies areamazingly good at contracts and contract negotiations," Nigam said."So when you are negotiating with cloud providers, you should havespecific language around how data security is handled, what happensin a breach, and who is liable in case of a breach. Liability alldepends on the contract. Whenever there is a breach, someone has toinvestigate. It's easy to say, 'When you accessed the cloud, youleft it open,' or 'You allowed a virus in that opened up avulnerability,' so the contract should leave no room fordispute."

Leverage the Cloud— with an Insurer'sMindset 

Last year, only about 33% of insurers had core,high-business-impact data and systems in the cloud, according toStrategy Meets Action research. That is changing rapidly,however—44% of SMA's respondents said their 12-month plans includecore services in the cloud. But thanks to security and privacyconstraints, insurers' core systems and other PII-rich applicationsalmost exclusively will be implemented via single-tenant ormulti-tenant private cloud—or, more conservatively, by hybrid cloudmodels, whereby the cloud vendor manages it on the insurance firm'sservers. 

As Mark Popolano, CIO for ProSight Specialty Insurance,explained, "We're insurers, we're risk managers. That's what we dofor a living. That's why we use private cloud pretty muchexclusively—we're protecting our assets and our customer base."