I recently had a discussion with risk managers on the topic of “The Cloud.” Lots of noise about insurance but not much in the way of risk management.
Risk Management in the information world is “different” from the usual P-C world. Yes, there is a ‘breakable’ component in the coverage, hardware can burn or be stolen, but even here, the value of the data inside the server is many times greater than the cost of the server itself. Loss prevention is the focus of attention. You can rebuild the server room but you can’t unring a bell or undisclose secrets.
So attention switches to third party coverage for data breaches, etc. But First Party Coverage can get lost in the shuffle. If I have a mission-critical component of my business whose cost is a mere fraction of the value of the business that is run with that system, then I am seven kinds of fool if I do not have seamless redundancy. Telephone switches go down all the time, but the network routes around the damage.
And I keep coming back to Boiler&Machinery coverage: it’s more about the inspection service–to prevent explosions–than about paying to rebuild the factory after the boiler mishap levels the plant. Maybe what is needed is a package that includes a sign-off from Thawte or an equivalent certifier that the database is “secure.” In this context, security has three aspects: system availability (authorized users can gain access to data and perform transactions), integrity (the data in the system are tracked to authorized users) and privacy (unauthorized users don’t get to see the data or perform transactions). Based on this, a P-C company writes coverage for loss of use, reconstruction costs and third-party liability following a breach.
Perhaps we will see an exclusion for fixing the glitch that gave rise to the loss, much as CGL policies do not pay to correct a defect in construction but they may pay for damage to the other parts of the work caused by the glitch. “Insuring the Cloud” is a great attention-grabber, but when you break it down the coverage is much more down to earth.