The introduction of insurance for CSPs recognises value of customer data

But end users must assume ultimate responsibility, warns CIF.

  • Thursday, 2nd May 2013 Posted 11 years ago in by Phil Alsop

The introduction of liability insurance for Cloud Service Providers (CSPs) would be an important step for end users, offering a higher level of assurance for their data. But, warns the Cloud Industry Forum (CIF), insurance is no cure-all, and, as such, should not factor too heavily in the selection of a cloud provider.


The International Association of Managed Service Providers (MSPAlliance) last week announced a partnership with insurance firm Lockton Affinity to offer its members the chance to obtain 'Cloud and Managed Services Insurance'. The product will provide cyber, contractual and general liability coverage in instances of cyber attacks, data losses and system outages.


Frank Jennings, cloud lawyer and partner at DMH Stallard and member of the CIF Governance Board, has welcomed the development but reminds end users that ultimate responsibility for their data still resides with them:
“A properly drawn up insurance policy which is available at an affordable price and which covers service outages and data loss/ leakage could be a great step forward in the sector. Cloud providers typically pay out only service credits for service outages, even though this will not adequately compensate a customer who has not been able to transact business during the outage. Further, providers often exclude liability if they lose or leak a customer's data, even though this is the key asset they are looking after.


“But customers must still seek to ensure the cloud solution they buy reduces the risks of them actually needing to rely upon a pay-out under the policy. Also, they should check the small print of the insurance policy to make sure they are properly covered,” he continued.


Andy Burton, CIF’s Chairman, added: “In principle, the introduction of insurance for CSPs would be very welcome but my concern is that it may turn into a bit of a red herring, like many of the commercial claims of 100% service availability do, in that in their own right they offer a false sense of security. CSPs, like all external suppliers, will not, and should not, act as primary insurers of a customer's business and remedies under a contract may form part of, but should not be considered to be an entire, risk mitigation strategy. The challenges can very easily be compounded by the complexity of the supply chain in the cloud, with multiple parties collaborating to create the entire end-to-end service. My advice here is to get the basics right in the first place from the inside out: End users should look to cloud providers that have secured independent validation of their services, to ensure that your CSP meets the recognised standards in transparency, accountability and capability. This can be achieved today through best practice and certification against an Industry Code of Practice as offered by CIF. Insurance should really come as a secondary concern to reinforce commitment, not to substitute for it.”