|
|
Line 1: |
Line 1: |
| Speaking to the broad business level, well-executed integrated risk management programs help limit risks within an organization, in turn helping the organization realize tangible benefits.<ref name="HillsonUsing03">{{cite web |url=https://www.pmi.org/learning/library/risk-management-strategic-advantage-tactics-7727 |title=Using risk management for strategic advantage |author=Hillson, D. |publisher=Project Management Institute |date=25 September 2003 |accessdate=21 August 2021}}</ref> But what are the benefits that arise from an organization that employs integrated risk management efforts? First, by discussing the positive and negative aspects of risks, you potentially discover unintended consequences or new opportunities you may not have at first considered. You may also identify how those risks may extend to other parts of the organization you didn't expect. For example, could a security gap on a remote field sensor lead to a potential attacker finding a way into operational data stores? If you discuss these and other potential situations, the organization also has the added benefit of not being caught off guard since the risk has already been acknowledged. Finally, with quality risk management planning, resources are deployed more optimally and performance becomes more consistent.<ref name="HillsonUsing03" /><ref name="AmatoFive16">{{cite web |url=https://www.fm-magazine.com/news/2016/jul/integrated-risk-management-201614781.html |title=5 benefits of an integrated risk management programme |work=Financial Management |author=Amato, N. |date=12 July 2016 |accessdate=21 August 2021}}</ref>
| | [[File:Calculator-385506 1280.jpg|right|400px]]In January 2020, law firm Woodruf Sawyer indicated that among its business clients, the percentage of those organizations acquiring cybersecurity insurance coverage increased from 22 percent in 2016 to 39 percent in 2019, with that number expected to rise.<ref name="FlorescaBuying20">{{cite web |url=https://woodruffsawyer.com/cyber-liability/is-buying-cyber-insurance-worth-it/ |title=Buying Cyber Insurance: It May Be Required, But Is It Worth It? |author=Floresca, L. |work=Insights |publisher=Woodruff Sawyer |date=23 January 2020 |accessdate=21 August 2021}}</ref> The concept of cyber insurance has been around for several decades, but it has gained traction as a more popular offering in recent years. Initial adoption has often been hampered by the perception that issuers of such policies will rarely pay. But as companies like Merck, Equifax, and Marriott demonstrate that payment under cyber insurance policies is possible<ref name="FlorescaBuying20" />, questions remain about the value and availability of cybersecurity insurance, particularly when cloud computing is involved. |
|
| |
|
| An integrated risk management approach will naturally extend to an organization’s information technology and how it's used. From sticky-noted passwords on monitors to unauthorized USB hard drives, local IT systems and their data can be put at risk. Now imagine extending that risk to public cloud services. Remember, with added complexity comes added risk, and cloud computing is no exception. This requires a concerted effort from all levels of the organization (again, see Figure 4) to address the risks of doing business in the cloud. This effort can be expedited through the use of risk management and cybersecurity frameworks that guide the organization towards better security and data integrity.
| | In their 2020 paper for the Carnegie Endowment, Levite and Kalwani shared their educated opinion on the cybersecurity insurance market as it relates to cloud computing<ref name="LeviteCloud20">{{cite web |url=https://carnegieendowment.org/2020/11/09/cloud-governance-challenges-survey-of-policy-and-regulatory-issues-pub-83124 |title=Cloud Governance Challenges: A Survey of Policy and Regulatory Issues |author=Levite, A.; Kalwani, G. |publisher=Carnegie Endowment for International Peace |date=09 November 2020 |accessdate=21 August 2021}}</ref>: |
|
| |
|
| Cloud computing has existed for over a decade now, and many experts have arisen from the rapidly changing field. Some of those experts have contributed their experience and knowledge to the development of risk management and cybersecurity frameworks over the years. The most successful have been widely disseminated (though several may not be free), meaning you don't have to reinvent the wheel when it comes to assessing and managing risk in your existing and upcoming IT systems. Table 5 shows some popular examples of risk management and cybersecurity frameworks that can be applied to provider and customer cloud security efforts.
| | <blockquote>Another important regulatory priority in the category of resilience is insurance as a risk channeling mechanism, to offset physical or financial damages resulting from cloud failures ... At present, little recourse is available to CSPs or the consumer to address such serious and likely scenarios. The nascent cloud insurance market does not currently offer extensive solutions to this predicament, in part because of serious concern for the systemic risk that accumulates as a result of the cloud’s market concentration and the potential for cascading effects. System failures could potentially affect many different parties at once, trickling upward, downward, and sideways, and resulting in a mass of claims that could prove excessive for insurers and reinsurers to cover. Regulators’ concerns over the solvency of (re)insurers that underwrite cloud services in these domains are bound to further slow down expansion of insurance for cloud service business interruptions, especially as they pertain to coverage of damages to third parties.</blockquote> |
|
| |
|
| {|
| | Levite and Kalwani touch upon the increasingly concentrated nature of cloud services, as mentioned in Chapter 2. The topic is also tangentially discussed by Woodruff Sawyer's Lauri Floresca, but from the perspective of the multitenant nature of public cloud. "If an insurer writes 10,000 policies for customers of one cloud vendor, and every single one of them makes a claim because of a breach, that’s an aggregation problem for the insurer," they note in a July 2020 Insights post.<ref name="FlorescaCloud20">{{cite web |url=https://woodruffsawyer.com/cyber-liability/cloud-computing/ |title=Cloud Computing Risk and Cyber Liability Insurance |author=Floresca, L. |work=Insights |publisher=Woodruff Sawyer |date=09 July 2020 |accessdate=21 August 2021}}</ref> These and other considerations bring about questions concerning how insurers will tighten policies and what insurers may or may not cover going forward in the 2020s. As such, this topic of what existing cybersecurity insurance policy writers will and will not cover, and how much—if any—of the policy addresses third-party cloud providers, deserves a brief but closer look. |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="70%"
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 5.''' Examples of some common risk management and cybersecurity frameworks for cloud security.
| |
| |-
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Framework
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Developer
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Type of framework
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Details
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/ CIS Controls with Cloud Companion Guide]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Center for Internet Security (CIS)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity for cloud
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|The CIS Controls are a "prioritized set of actions to protect your organization and data from known cyber-attack vectors."<ref name="CIS_Controls">{{cite web |url=https://www.cisecurity.org/controls/ |title=CIS Controls |publisher=Center for Internet Security |accessdate=21 August 2021}}</ref> The CIS has released a Cloud Companion Guide to accompany their cybersecurity controls, meant to address how to use the CIS Controls in a cloud environment.<ref name="CIS_ControlsCloud">{{cite web |url=https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/ |title=CIS Controls Cloud Companion Guide |publisher=Center for Internet Security |accessdate=21 August 2021}}</ref>
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloudsecurityalliance.org/research/cloud-controls-matrix/ Cloud Controls Matrix (CCM)]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Security Alliance (CSA)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity for cloud
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|"The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance. Version 4 of the CCM has been updated to ensure coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards."<ref name="CSA_CCM">{{cite web |url=https://cloudsecurityalliance.org/research/cloud-controls-matrix/ |title=Cloud Controls Matrix (CCM) |publisher=Cloud Security Alliance |accessdate=21 August 2021}}</ref>
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cyber.gc.ca/en/guidance/cloud-security-risk-management-itsm50062 Cloud Security Risk Management (ITSM.50.062)]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Canadian Centre for Cyber Security (CCCS)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud risk management
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|"To enable the adoption of cloud computing, the Government of Canada (GC) developed an integrated risk management approach to establish cloud-based services. ITSM.50.062 outlines this approach which can be applied to all cloud based services independently of the cloud service and deployment models."<ref name="CCCSCloud19">{{cite web |url=https://www.cyber.gc.ca/en/guidance/cloud-security-risk-management-itsm50062 |title=Cloud Security Risk Management (ITSM.50.062) |author=Canadian Centre for Cyber Security |publisher=Government of Canada |date=March 2019 |accessdate=21 August 2021}}</ref>
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://dx.doi.org/10.14569/IJACSA.2019.0101226 Cloud Security Risk Management Framework (CSRMF)]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Ahmed E. Youssef
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud risk management
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|"In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting [cloud computing] identify, analyze, evaluate, and mitigate security risks in their cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives."<ref name="YoussefAFrame19">{{cite journal |title=A Framework for Cloud Security Risk Management based on the Business Objectives of Organizations |journal=International Journal of Advanced Computer Science and Applications |author=Youssef, A.E. |volume=10 |issue=12 |pages=186-194 |year=2019 |doi=10.14569/IJACSA.2019.0101226}}</ref>
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597 Cloud Security Risk Vectors]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Tim Maurer and Gerrett Hinck
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud risk management
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|"The framework ... applies the well-known cybersecurity triad of confidentiality, integrity, and availability to these risk vectors and includes rough guesstimates of the probabilities that various incidents will occur, ranging from more common incidents to potential black swan events. These probabilities are not intended as predictors but rather as a starting point for a discussion of how different risks could be classified that will hopefully be tested and improved with feedback from other experts over time. The notional probabilities were based on the authors’ assessment of the frequency of past occurrences, with events that have not yet occurred being assigned lower probabilities."<ref name="MaurerCloud20">{{cite web |url=https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597 |title=Cloud Security: A Primer for Policymakers |author=Maurer, T.; Hinck, G. |publisher=Carnegie Endowment for International Peace |date=31 August 2020 |accessdate=21 August 2021}}</ref>
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.iso.org/standard/43757.html ISO/IEC 27017:2015]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|International Organization for Standardization
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity for cloud
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ISO/IEC 27017:2015 "provides guidelines supporting the implementation of information security controls for cloud service customers and cloud service providers. Some guidelines are for cloud service customers who implement the controls, and others are for cloud service providers to support the implementation of those controls. The selection of appropriate information security controls, and the application of the implementation guidance provided, will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector specific information security requirements."<ref name="ISO27017">{{cite web |url=https://www.iso.org/obp/ui/#iso:std:iso-iec:27017:ed-1:v1:en |title=ISO/IEC 27017:2015(en) Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services |publisher=International Organization for Standardization |date=July 2015 |accessdate=21 August 2021}}</ref>
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.nist.gov/cyberframework NIST Cybersecurity Framework]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology (NIST)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity framework
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|This framework "consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk."<ref name="NIST_NewTo">{{cite web |url=https://www.nist.gov/cyberframework/new-framework |title=Cybersecurity Framework - New to Framework |publisher=National Institute of Standards and Technology |date=23 September 2020 |accessdate=21 August 2021}}</ref> Note, however, that the framework has a couple of weaknesses in regards to cloud computing, including not addressing long-term retention of log files, security gaps with shared responsibility models, virtual tenant delegation, and too-broad role-based privileges.<ref name="HazelmanWhatThe20">{{cite web |url=https://www.infosecurity-magazine.com/opinions/nist-framework-misses-cloud/ |title=What the NIST Framework Misses About Cloud Security |work=InfoSecurity |date=28 December 2020 |accessdate=21 August 2021}}</ref> If this framework is adopted, keep these and other deficiencies in mind when attempting to close any security gaps.
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://csrc.nist.gov/projects/risk-management/ NIST Risk Management Framework (RMF)]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology (NIST)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud and cybersecurity risk management
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|"Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector."<ref name="NIST_RMF21">{{cite web |url=https://csrc.nist.gov/projects/risk-management/about-rmf |title=NIST Risk Management Framework - About the Risk Management Framework (RMF) |publisher=National Institute of Standards and Technology |date=21 August 2021 |accessdate=21 August 2021}}</ref> The risk management framework is closely tied to SP 800-53 Rev. 5 ''Security and Privacy Controls for Information Systems and Organizations''.
| |
| |-
| |
| |}
| |
| |}
| |
|
| |
|
| Whether part of an organization’s broad cybersecurity plan development or as an independent effort, the organization should consider turning to the security controls, program development, and risk management aspects of one or more risk management and cybersecurity frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents. These frameworks will not only couch risks in terms of threats to confidentiality, integrity, and availability, but many will also contain security controls recommended for implementation to combat those threats.
| | When approaching an insurer about cybersecurity (cyber) insurance, one of the first questions asked should be how cloud computing affects their policies. A quality insurer will make clear in its policy definitions and other documentation what actually constitutes being in the cloud, stating that the "computer system" of an insured organization extends to third-party networks. However, it's important to note that not only does the idea of shared responsibility between the organization and the CSP still stand, but also the concept of who the "data owner" or originator of any affected data is: your organization. In regulated environments where protected health information (PHI) is created and managed, that ownership may be extended to the CSP via, e.g., the [[Health Insurance Portability and Accountability Act]]'s (HIPAA's) requirement for business associate agreements. But ultimately your organization is still the primary data owner and holds much of the liability.<ref name="FlorescaCloud20" /> This is a primary reason to consider the value of cyber insurance that extends to the cloud. |
|
| |
|
| NIST defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web |url=https://csrc.nist.gov/glossary/term/security_control |title=security control |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=2019 |accessdate=21 August 2021}}</ref> Let's use NIST's SP 800-53 Rev. 5 as an example. One of its security controls is "AC-20(4) Network Accessible Storage Devices - Prohibited Use," which states that users shall not use an organization-defined network accessible storage device in external systems, including "online storage devices in public, hybrid, or community cloud-based systems."<ref name="NISTSP800-53Rev5">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final |title=SP 800-53 Rev. 5 ''Security and Privacy Controls for Information Systems and Organizations'' |publisher=National Institute of Standards and Technology |date=10 December 2020 |accessdate=21 August 2021}}</ref> This control represents a potential safeguard an organization can implement, most likely as part of an enforced organizational security policy. By extension, those stakeholders responsible for configuring security in the cloud may also implement controls in the infrastructure to further discourage such access to those storage devices.
| | However, as Floresca notes, the onus isn't exclusively placed on the organization to acquire insurance<ref name="FlorescaCloud20" />: |
|
| |
|
| Note, however, that in contrast to using security controls, some frameworks exist to provide a more program-based or risk-based approach to plan development. Instead of using security controls that mandate an action as a base for building security, risk-based frameworks will typically first help the organization identify the potential threats to its goals and resources and define the strategy that will effectively monitor for and minimize the impact of those risks. Security controls can then be selected as part of that risk discovery process, but the overall framework serves as a guide to identifying and prioritizing the risks most likely to affect the organization. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.
| | <blockquote>Even if you carry your own cyber insurance, however, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient.</blockquote> |
|
| |
|
| In 2020, Deloitte's Center for Regulatory Strategy released a document detailing the Federal Financial Institutions Examination Council's (FFIEC's) Joint Statement on Security in a Cloud Computing Environment. Part of that joint statement addressed how financial services institutions should approach risk management through the application of a risk-based framework. Five layered and hierarchical considerations were given for those institutions towards adopting a risk-based framework: governance, cloud security management, change management, resilience and recovery, and audit and controls assessment (from top to bottom). Those considerations are further discussed here<ref name="DeloitteFFIEC20">{{cite web |url=https://www2.deloitte.com/content/dam/Deloitte/us/Documents/financial-services/cloud-security-for-FSI.pdf |format=PDF |title=FFIEC statement on risk management for cloud computing services |author=Bhat, V.; Kapur, S.; Hodgkinson, S. et al. |publisher=Deloitte Development, LLC |date=2020 |accessdate=21 August 2021}}</ref>:
| | But what does cyber insurance in 2021 actually look like? What does it cover? From our five risk categories described earlier, we find that data security and regulatory risk, as well as operational risk, are where most cyber risks will be found. Those categories of risk are addressed in some fashion by cyber insurance through a number of insuring agreements: network security, privacy liability, network business interruption, media liability, and errors and omissions (E&O). These are explained further below<ref name="BurkeCyber20">{{cite web |url=https://woodruffsawyer.com/cyber-liability/cyber-101-liability-insurance-2021/ |title=Cyber 101: Understand the Basics of Cyber Liability Insurance |author=Burke, D. |work=Insights |publisher=Woodruff Sawyer |date=02 November 2020 |accessdate=21 August 2021}}</ref>: |
|
| |
|
| * ''Governance'': Similar to NIST SP 800-37 Rev. 2's risk management approach (Figure 4), knowledgeable stakeholders from all levels of the organization work together as a group to provide subject matter expertise towards developing an organizational plan for choosing, implementing, and securing cloud computing infrastructure and services.<ref name="DeloitteFFIEC20" /> | | * ''Network security coverage grant'': This covers your organization should a data breach, malware infection, cyber extortion effort, ransomware attack, or email phishing scam compromise your network security or cause it to fail. Coverage can expand to both first- and third-party costs, including legal expenses, digital forensics (also mention in Chapter 2), data restoration, customer notification, public relations consulting, and more. |
| * ''Cloud security management'': The group's stakeholders complete due diligence research on identified CSPs and how they can prove their level of enacted compliance and security controls, particularly in regards to the needs of the organization. As the organization dives deeper into this process and begins talking about contracts, the stakeholder group may need to develop a responsibility matrix—a tool for clearly delineating responsibilities, roles, milestones, and accountability for a project<ref name="KantorTheRACI18">{{cite web |url=https://www.cio.com/article/2395825/project-management-how-to-design-a-successful-raci-project-plan.html |title=The RACI matrix: Your blueprint for project success |author=Kantor, B. |work=CIO |date=30 January 2018 |accessdate=21 August 2021}}</ref>—to make clear who is responsible for what, particularly if any initial contract or shared responsibility model isn't clear or appears to neglect certain tasks and responsibilities. Additionally, during discussion of contracts and service-level agreements, the topic of quality assurance reports and "right to audit" systems should be discussed and finalized in writing.<ref name="DeloitteFFIEC20" /><ref name="HeroldWhyYou20">{{cite web |url=https://privacysecuritybrainiacs.com/privacy-professor-blog/why-you-should-use-a-right-to-audit-clause/ |title=Why You Should Use a Right to Audit Clause |author=Herold, R. |work=Privacy Security Brainiacs |date=28 March 2020 |accessdate=21 August 2021}}</ref> | | * ''Privacy liability coverage'': This covers your organization should government regulatory investigations, law enforcement investigations, legal contract obligations, or other such circumstances surrounding a cyber-incident or regulatory breach incur costs upon the organization. Coverage can expand to both first- and third-party costs, including costs from litigation defense, settlements, fines, and penalties. |
| * ''Change management'': When implementing software solutions or standalone code in the cloud, those solutions and code snippets will need to be updated from time to time for security purposes. These sorts of changes may have an impact on other aspects of the overall cloud experience, including security. As such, change management practices that take into consideration the use of cloud-specific testing tools and security knowledge are encouraged. Also consider the use of microservices architecture—which encourages a modular, independently deployable approach to application services<ref name="HustonWhatIs15">{{cite web |url=https://smartbear.com/solutions/microservices/ |title=What is Microservices |author=Huston, T. |work=SmartBear |date=2015 |accessdate=21 August 2021}}</ref>—which, when implemented well, will limit exposure to surface area attacks.<ref name="DeloitteFFIEC20" /> | | * ''Network business interruption coverage'': This covers your organization should third-party hacks, failed software patches, human error, or other such circumstances cause security failures. Organizations can recover lost profits, fixed expenses, and other additional costs, depending on the policy. |
| * ''Resilience and recovery'': Business continuity planning (BCP) is a critical part of any overall risk management planning. A BCP document outlines instructional procedures the organization must follow should a major disruption in provided services occur. Those disruptions can be sourced to risks such as natural disasters, [[pandemic]]s, fires, and sabotage. The BCP document should address continuity of service at all levels of the organization, including business processes, assets, human resource management, business partner effects, etc.<ref name="LindrosHowTo17">{{cite web |url=https://www.cio.com/article/2381021/best-practices-how-to-create-an-effective-business-continuity-plan.html |title=How to create an effective business continuity plan |author=Lindros, K.; Tittel, E. |work=CIO |date=18 July 2017 |accessdate=21 August 2021}}</ref> The addition of cloud services to business operations requires renewed examination of the BCP of the organization. Apply "stress test" scenarios to business operations under the scope of a CSP having services disrupted. Keep in mind how agile you expect the CSP to be in restoring service or recovering from a catastrophic event, including a pandemic that forces more staff to work remotely. How does this change your BCP, as well as any related disaster recovery planning documentation?<ref name="DeloitteFFIEC20" /> | | * ''Media liability coverage'': This covers you organization should someone infringe upon your intellectual property. Though not directly related to security, this form of legal protection is often a part of cyber insurance, providing coverage for losses associated with non-patent infringement losses from both online and print advertising of your services. |
| * ''Audit and controls assessment'': If your organization operates in a highly regulated sector, vetting the CSP as a whole may not be enough. Determine if regular background checks are performed on critical staff supporting regulated data storage and transmission on the cloud service. Know the regulations and standards that affect your industry's data and operations, and ask the CSP for further evidence of how they comply and help you support compliance on their service. From there, taking into account all the information gathered prior, a risk management and/or cybersecurity framework with controls can be selected and adapted to address the specific requirements of cloud service adoption and use within your organization. Be sure to address required [[Information management|data management]] and security monitoring systems and their own security as part of the control selection process. And after security controls are selected, consider the usefulness of an external review of those controls to ensure you haven't missed anything important to your industry or operating environment.<ref name="DeloitteFFIEC20" /> | | * ''Errors and omissions (E&O)'': This covers your organizations from, essentially, breach of contractual obligation. In the case of cloud, this would mean the CSP failed in the performance of their services by, e.g., allowing a breach of the organization's cloud data.<ref name="FlorescaCloud20" /> Coverage includes legal defense costs or other indemnification as a result of a dispute with not only a CSP but also one of your customers. |
|
| |
|
| While these five considerations were originally described in the context of financial services providers, these considerations can be readily applied to organizations in most any sector. However, as Deloitte notes, these considerations are not a complete checklist for adopting a risk-based framework for cloud security. Organizations should also consider where "additional risk management measures such as ongoing assessments of concentration risk, data privacy and protection, data residency, increased adoption of new cloud services for regulated workloads," and more fit into overall risk management planning.<ref name="DeloitteFFIEC20" /> Your organization—as part of monitoring risk and quality control—will also likely want to adopt consistent periodic tests of the cloud computing security controls implemented into your organizational processes.<ref name="DeloitteFFIEC20" /> Other risk management activities include limiting the effects of employee negligence by providing thorough training and "blocking non-essential IPs from accessing the cloud," as well as having a detailed data loss plan and redundancies in place.<ref name="IFAhelp20">{{cite web |url=https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/ |title=A Helpful Guide to Cloud Computing in a Laboratory |work=InterFocus Blog |publisher=InterFocus Ltd |date=05 October 2020 |accessdate=21 August 2021}}</ref>
| | Ultimately, it's up to you, the organization, to decide how to approach cloud-inclusive cyber insurance. Does your organization consider acquiring this type of insurance? Can your organization supply all the information a potential cyber insurance underwriter may ask for as part of the process? Do your potential CSP candidates have their own cyber insurance, and what does that insurance address? In the end, despite applying significant effort to your organization's approaches to risk management and security controls, the organization will need to look at costly risks as a matter of "when," not "if." If the potential consequences would be too detrimental to the organization, cyber insurance for your cloud expansion may be due. Just know that acquiring that insurance won't necessarily be straightforward. |
|
| |
|
| ==References== | | ==References== |
| {{Reflist|colwidth=30em}} | | {{Reflist|colwidth=30em}} |
In January 2020, law firm Woodruf Sawyer indicated that among its business clients, the percentage of those organizations acquiring cybersecurity insurance coverage increased from 22 percent in 2016 to 39 percent in 2019, with that number expected to rise.[1] The concept of cyber insurance has been around for several decades, but it has gained traction as a more popular offering in recent years. Initial adoption has often been hampered by the perception that issuers of such policies will rarely pay. But as companies like Merck, Equifax, and Marriott demonstrate that payment under cyber insurance policies is possible[1], questions remain about the value and availability of cybersecurity insurance, particularly when cloud computing is involved.
In their 2020 paper for the Carnegie Endowment, Levite and Kalwani shared their educated opinion on the cybersecurity insurance market as it relates to cloud computing[2]:
Another important regulatory priority in the category of resilience is insurance as a risk channeling mechanism, to offset physical or financial damages resulting from cloud failures ... At present, little recourse is available to CSPs or the consumer to address such serious and likely scenarios. The nascent cloud insurance market does not currently offer extensive solutions to this predicament, in part because of serious concern for the systemic risk that accumulates as a result of the cloud’s market concentration and the potential for cascading effects. System failures could potentially affect many different parties at once, trickling upward, downward, and sideways, and resulting in a mass of claims that could prove excessive for insurers and reinsurers to cover. Regulators’ concerns over the solvency of (re)insurers that underwrite cloud services in these domains are bound to further slow down expansion of insurance for cloud service business interruptions, especially as they pertain to coverage of damages to third parties.
Levite and Kalwani touch upon the increasingly concentrated nature of cloud services, as mentioned in Chapter 2. The topic is also tangentially discussed by Woodruff Sawyer's Lauri Floresca, but from the perspective of the multitenant nature of public cloud. "If an insurer writes 10,000 policies for customers of one cloud vendor, and every single one of them makes a claim because of a breach, that’s an aggregation problem for the insurer," they note in a July 2020 Insights post.[3] These and other considerations bring about questions concerning how insurers will tighten policies and what insurers may or may not cover going forward in the 2020s. As such, this topic of what existing cybersecurity insurance policy writers will and will not cover, and how much—if any—of the policy addresses third-party cloud providers, deserves a brief but closer look.
When approaching an insurer about cybersecurity (cyber) insurance, one of the first questions asked should be how cloud computing affects their policies. A quality insurer will make clear in its policy definitions and other documentation what actually constitutes being in the cloud, stating that the "computer system" of an insured organization extends to third-party networks. However, it's important to note that not only does the idea of shared responsibility between the organization and the CSP still stand, but also the concept of who the "data owner" or originator of any affected data is: your organization. In regulated environments where protected health information (PHI) is created and managed, that ownership may be extended to the CSP via, e.g., the Health Insurance Portability and Accountability Act's (HIPAA's) requirement for business associate agreements. But ultimately your organization is still the primary data owner and holds much of the liability.[3] This is a primary reason to consider the value of cyber insurance that extends to the cloud.
However, as Floresca notes, the onus isn't exclusively placed on the organization to acquire insurance[3]:
Even if you carry your own cyber insurance, however, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient.
But what does cyber insurance in 2021 actually look like? What does it cover? From our five risk categories described earlier, we find that data security and regulatory risk, as well as operational risk, are where most cyber risks will be found. Those categories of risk are addressed in some fashion by cyber insurance through a number of insuring agreements: network security, privacy liability, network business interruption, media liability, and errors and omissions (E&O). These are explained further below[4]:
- Network security coverage grant: This covers your organization should a data breach, malware infection, cyber extortion effort, ransomware attack, or email phishing scam compromise your network security or cause it to fail. Coverage can expand to both first- and third-party costs, including legal expenses, digital forensics (also mention in Chapter 2), data restoration, customer notification, public relations consulting, and more.
- Privacy liability coverage: This covers your organization should government regulatory investigations, law enforcement investigations, legal contract obligations, or other such circumstances surrounding a cyber-incident or regulatory breach incur costs upon the organization. Coverage can expand to both first- and third-party costs, including costs from litigation defense, settlements, fines, and penalties.
- Network business interruption coverage: This covers your organization should third-party hacks, failed software patches, human error, or other such circumstances cause security failures. Organizations can recover lost profits, fixed expenses, and other additional costs, depending on the policy.
- Media liability coverage: This covers you organization should someone infringe upon your intellectual property. Though not directly related to security, this form of legal protection is often a part of cyber insurance, providing coverage for losses associated with non-patent infringement losses from both online and print advertising of your services.
- Errors and omissions (E&O): This covers your organizations from, essentially, breach of contractual obligation. In the case of cloud, this would mean the CSP failed in the performance of their services by, e.g., allowing a breach of the organization's cloud data.[3] Coverage includes legal defense costs or other indemnification as a result of a dispute with not only a CSP but also one of your customers.
Ultimately, it's up to you, the organization, to decide how to approach cloud-inclusive cyber insurance. Does your organization consider acquiring this type of insurance? Can your organization supply all the information a potential cyber insurance underwriter may ask for as part of the process? Do your potential CSP candidates have their own cyber insurance, and what does that insurance address? In the end, despite applying significant effort to your organization's approaches to risk management and security controls, the organization will need to look at costly risks as a matter of "when," not "if." If the potential consequences would be too detrimental to the organization, cyber insurance for your cloud expansion may be due. Just know that acquiring that insurance won't necessarily be straightforward.
References