The past couple of years have seen cloud services move from theperiphery of most businesses to the mainstream.

Drawn by the cost savings, agility and scalability that thecloud has to offer, companies have been migrating to the cloud enmasse. A recent Harvard Business Review survey found 84 percentof companies had increased their reliance on the cloud in the pastyear.

At the core of this trend is a calculation by businesses thatthe benefits of the cloud outweigh the risks. Strange as it maysound, the benefits may outweigh the risks for the insuranceindustry, too. Of course, the type of risk insurers see in thecloud is different from most businesses, and has been alongstanding concern to underwriters. Even so, the cloud hasenabled security capabilities that substantially lower risk inother areas — at least to the point that it merits anotherlook.

The case against the cloud

Insurers have understood for a long time that they must manageaggregation of risk across the portfolio of products that theysell. Few places aggregate cyber risk as neatly as the cloud, andan unforeseen event that triggers multiple claims could spellbankruptcy, if not properly understood and managed.

Perhaps the best historical example of risk aggregation isasbestos. Liability litigation related to asbestos injuries andproperty damages has been claimed to be the longest-running masstort in U.S. history, and is estimated to have cost the insuranceindustry $85 billion to date, according to A.M. Best Co.

Related: 5 areas where independent agencies are fallingshort on digital processes

Photo: iStock

Interconnectedness poses new challenge

Cyber risk aggregation presents a new challenge to insurersthat, if not carefully managed, has the potential to cause lossesthat could eventually rival the asbestos claims. Why? In one word:"interconnectedness." There are few parallels to theinterconnectedness of computer networks anywhere else in theinsurance industry.

Perhaps the closest is geography in certain types of propertycoverage, inasmuch as a natural disaster that occurs in a specificlocation affects all properties in that area. But property insurersare able to use geography as a component of their risk model. Theyknow the frequency with which hurricanes or earthquakes tend to hitcertain locations and can adjust the risk that they assumeaccordingly.

Related: Cloud deployment has reached a tipping point ininsurance

The cyber domain is not nearly so predictable, and losses canoccur anywhere. Although a property insurer can avoid insuringevery home in a single geographic locale, it's much harder to avoidinsuring multiple companies that all rely on the same cloudprovider.

Surprising as it may sound, insurers today still have very lowvisibility and understanding of their policyholders' third-partyrelationships. Even more challenging are the fourth- andfifth-party relationships and knowing who subcontracts to whom. Inpractice what this means is that a cyber attack on one cloudprovider could trigger multiple unforeseen policyholder claims.

Even if the insurer can begin to identify the percentage ofpolicyholders that use specific third parties there is anotherproblem. The insurer's contractual relationship is with thepolicyholder and not with the cloud provider. As a consequence,understanding the maturity of controls of any third-party vendor isdifficult, and typically it is only the contractual relationshipthat an underwriter can scrutinize.

Cloud-based loss prevention

The maturation of cloud services has also paved the way forcloud-based security that can actually reduce the overall risk ininsurers' portfolios. While interconnectivity has long drivenaggregation of risk, it has only recently begun to provide aclearer picture of the risk landscape.

Security services have begun to use the cloud to collect andpool information from every server and workstation that runs theirsecurity software. The result is a real-time picture of the threatlandscape across hundreds of thousands of systems. 

The obvious benefit of this approach is that if a successfulattack occurs on one network, the service provider can identify theattacker's tools and methods and protect all other subscribers fromthe same attack. This gets right to the heart of another source ofrisk correlation for insurers: The potential for a flaw in a commonpiece of software to result in claims from multiple insureds.

Related: 11 things to consider when crafting a cyberinsurance policy

Cloud-based security tools reduce this risk, identifying andblocking methods for exploiting new software vulnerabilities asquickly as they emerge — and in far less time than it takes fordevelopers to release a patch and companies to install it.

There are two less-obvious ways in which cloud-based securitytools provide a leg up in loss prevention. One has to do with themassive amount of security-related metadata that they collect.Pooling this data allows for anomaly detection and real-timebehavioral analysis that can identify and stop zero-day attacks thefirst time they are deployed.

The other involves disrupting attackers' own research anddevelopment efforts. Well-funded nation states andcriminal organizations use test labs where they install all thelatest security tools and experiment with different methods fordefeating them. When these groups install a cloud-based tool intheir lab, it gives the security provider the opportunity toobserve these tests and develop the means to block new attacksbefore they're ever released into the wild.

Photo: iStock

Cloud-accelerated response

While the interconnectedness of the cloud can help preventlosses from occurring, the agility of the cloud can limit the sizeof losses that do occur. Insurers have long recognized the value ofprofessional incident responders in reducing the overall impact ofa breach, and that value rises considerably when responders havecloud-based tools at their disposal.

It all comes down to speed. Cloud-based platforms can quicklydeploy forensic software and collect information about an attack ina matter of hours — often before the responders even arrive on theground. With traditional methods, this process can take days oreven weeks. When coupled with advanced monitoring software, thecloud-based approach can shorten the total time to remediation frommonths to weeks.

Conventional wisdom holds that responding to a breach willrequire consultants on the ground for long periods of time. Thecloud-based response model turns that paradigm on its head. Swiftremediation not only reduces an attacker's "dwell time," shorteningthe window of opportunity to steal data, but it also reduces whatcompanies spend on consulting fees.

Cloud-based tools may outweigh risk

None of this eliminates the longstanding concerns about relianceon the cloud; a successful attack on a major cloud provider couldstill result in wide-ranging losses. But cloud providers havebecome more numerous, more secure, and more resilient as they havematured, decreasing the likelihood of that scenario.

At the same time, the cloud has enabled a new breed of securitysolutions that have the ability to lower risk across the ecosystem.Cloud-based security tools are no silver bullet, but they do offerconsiderable advantages over traditional approaches, so much sothat the benefit of cloud-based tools could begin to outweigh therisk of relying on the cloud itself. After all the fearsunderwriters have had about the cloud, it may prove more of a boonthan a bugbear.

Ben Beeson is senior vice president and cyber risk practiceleader for Kansas City-based LocktonCos. Email him at [email protected].

Eben Kaplan is a consultant with Crowdstrike, acybersecurity technology company based in Irvine, Calif. Email himat [email protected].

Related: 6 categories of questions you'll be asked whenapplying for cyber coverage