|
|
| (36 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| [[File:Calculator-385506 1280.jpg|right|400px]]In January 2020, law firm Woodruf Sawyer indicated that among its business clients, the percentage of those organizations acquiring cybersecurity insurance coverage increased from 22 percent in 2016 to 39 percent in 2019, with that number expected to rise.<ref name="FlorescaBuying20">{{cite web |url=https://woodruffsawyer.com/cyber-liability/is-buying-cyber-insurance-worth-it/ |title=Buying Cyber Insurance: It May Be Required, But Is It Worth It? |author=Floresca, L. |work=Insights |publisher=Woodruff Sawyer |date=23 January 2020 |accessdate=21 August 2021}}</ref> The concept of cyber insurance has been around for several decades, but it has gained traction as a more popular offering in recent years. Initial adoption has often been hampered by the perception that issuers of such policies will rarely pay. But as companies like Merck, Equifax, and Marriott demonstrate that payment under cyber insurance policies is possible<ref name="FlorescaBuying20" />, questions remain about the value and availability of cybersecurity insurance, particularly when cloud computing is involved.
| | {{Saved book |
| | |title=Introduction to Quality and Quality Management Systems |
| | |subtitle= |
| | |cover-image=Time-Quality-Money.png |
| | |cover-color=#fffccc |
| | | setting-papersize = A4 |
| | | setting-showtoc = 1 |
| | | setting-columns = 1 |
| | }} |
|
| |
|
| In their 2020 paper for the Carnegie Endowment, Levite and Kalwani shared their educated opinion on the cybersecurity insurance market as it relates to cloud computing<ref name="LeviteCloud20">{{cite web |url=https://carnegieendowment.org/2020/11/09/cloud-governance-challenges-survey-of-policy-and-regulatory-issues-pub-83124 |title=Cloud Governance Challenges: A Survey of Policy and Regulatory Issues |author=Levite, A.; Kalwani, G. |publisher=Carnegie Endowment for International Peace |date=09 November 2020 |accessdate=21 August 2021}}</ref>:
| | ==''Introduction to Quality and Quality Management Systems''== |
| | {{ombox |
| | | type = content |
| | | style = width: 500px; |
| | | text = This book should not be considered complete until this message box has been removed. This is a work in progress. |
| | }} |
| | The goal of this short volume is to act as an introduction to the quality management system. It collects several articles related to quality, quality management, and associated systems. |
|
| |
|
| <blockquote>Another important regulatory priority in the category of resilience is insurance as a risk channeling mechanism, to offset physical or financial damages resulting from cloud failures ... At present, little recourse is available to CSPs or the consumer to address such serious and likely scenarios. The nascent cloud insurance market does not currently offer extensive solutions to this predicament, in part because of serious concern for the systemic risk that accumulates as a result of the cloud’s market concentration and the potential for cascading effects. System failures could potentially affect many different parties at once, trickling upward, downward, and sideways, and resulting in a mass of claims that could prove excessive for insurers and reinsurers to cover. Regulators’ concerns over the solvency of (re)insurers that underwrite cloud services in these domains are bound to further slow down expansion of insurance for cloud service business interruptions, especially as they pertain to coverage of damages to third parties.</blockquote>
| | ;1. What is quality? |
| | :''Key terms'' |
| | :[[Quality (business)|Quality]] |
| | :[[Quality assurance]] |
| | :[[Quality control]] |
| | :''The rest'' |
| | :[[Data quality]] |
| | :[[Information quality]] |
| | :[[Nonconformity (quality)|Nonconformity]] |
| | :[[Service quality]] |
| | ;2. Processes and improvement |
| | :[[Business process]] |
| | :[[Process capability]] |
| | :[[Risk management]] |
| | :[[Workflow]] |
| | ;3. Mechanisms for quality |
| | :[[Acceptance testing]] |
| | :[[Conformance testing]] |
| | :[[Clinical quality management system]] |
| | :[[Continual improvement process]] |
| | :[[Corrective and preventive action]] |
| | :[[Good manufacturing practice]] |
| | :[[Malcolm Baldrige National Quality Improvement Act of 1987]] |
| | :[[Quality management]] |
| | :[[Quality management system]] |
| | :[[Total quality management]] |
| | ;4. Quality standards |
| | :[[ISO 9000]] |
| | :[[ISO 13485]] |
| | :[[ISO 14000|ISO 14001]] |
| | :[[ISO 15189]] |
| | :[[ISO/IEC 17025]] |
| | :[[ISO/TS 16949]] |
| | ;5. Quality in software |
| | :[[Software quality]] |
| | :[[Software quality assurance]] |
| | :[[Software quality management]] |
|
| |
|
| Levite and Kalwani touch upon the increasingly concentrated nature of cloud services, as mentioned in Chapter 2. The topic is also tangentially discussed by Woodruff Sawyer's Lauri Floresca, but from the perspective of the multitenant nature of public cloud. "If an insurer writes 10,000 policies for customers of one cloud vendor, and every single one of them makes a claim because of a breach, that’s an aggregation problem for the insurer," they note in a July 2020 Insights post.<ref name="FlorescaCloud20">{{cite web |url=https://woodruffsawyer.com/cyber-liability/cloud-computing/ |title=Cloud Computing Risk and Cyber Liability Insurance |author=Floresca, L. |work=Insights |publisher=Woodruff Sawyer |date=09 July 2020 |accessdate=21 August 2021}}</ref> These and other considerations bring about questions concerning how insurers will tighten policies and what insurers may or may not cover going forward in the 2020s. As such, this topic of what existing cybersecurity insurance policy writers will and will not cover, and how much—if any—of the policy addresses third-party cloud providers, deserves a brief but closer look.
| | <!--Place all category tags here--> |
| | |
| When approaching an insurer about cybersecurity (cyber) insurance, one of the first questions asked should be how cloud computing affects their policies. A quality insurer will make clear in its policy definitions and other documentation what actually constitutes being in the cloud, stating that the "computer system" of an insured organization extends to third-party networks. However, it's important to note that not only does the idea of shared responsibility between the organization and the CSP still stand, but also the concept of who the "data owner" or originator of any affected data is: your organization. In regulated environments where protected health information (PHI) is created and managed, that ownership may be extended to the CSP via, e.g., the [[Health Insurance Portability and Accountability Act]]'s (HIPAA's) requirement for business associate agreements. But ultimately your organization is still the primary data owner and holds much of the liability.<ref name="FlorescaCloud20" /> This is a primary reason to consider the value of cyber insurance that extends to the cloud.
| |
| | |
| However, as Floresca notes, the onus isn't exclusively placed on the organization to acquire insurance<ref name="FlorescaCloud20" />:
| |
| | |
| <blockquote>Even if you carry your own cyber insurance, however, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient.</blockquote>
| |
| | |
| But what does cyber insurance in 2021 actually look like? What does it cover? From our five risk categories described earlier, we find that data security and regulatory risk, as well as operational risk, are where most cyber risks will be found. Those categories of risk are addressed in some fashion by cyber insurance through a number of insuring agreements: network security, privacy liability, network business interruption, media liability, and errors and omissions (E&O). These are explained further below<ref name="BurkeCyber20">{{cite web |url=https://woodruffsawyer.com/cyber-liability/cyber-101-liability-insurance-2021/ |title=Cyber 101: Understand the Basics of Cyber Liability Insurance |author=Burke, D. |work=Insights |publisher=Woodruff Sawyer |date=02 November 2020 |accessdate=21 August 2021}}</ref>:
| |
| | |
| * ''Network security coverage grant'': This covers your organization should a data breach, malware infection, cyber extortion effort, ransomware attack, or email phishing scam compromise your network security or cause it to fail. Coverage can expand to both first- and third-party costs, including legal expenses, digital forensics (also mention in Chapter 2), data restoration, customer notification, public relations consulting, and more.
| |
| * ''Privacy liability coverage'': This covers your organization should government regulatory investigations, law enforcement investigations, legal contract obligations, or other such circumstances surrounding a cyber-incident or regulatory breach incur costs upon the organization. Coverage can expand to both first- and third-party costs, including costs from litigation defense, settlements, fines, and penalties.
| |
| * ''Network business interruption coverage'': This covers your organization should third-party hacks, failed software patches, human error, or other such circumstances cause security failures. Organizations can recover lost profits, fixed expenses, and other additional costs, depending on the policy.
| |
| * ''Media liability coverage'': This covers you organization should someone infringe upon your intellectual property. Though not directly related to security, this form of legal protection is often a part of cyber insurance, providing coverage for losses associated with non-patent infringement losses from both online and print advertising of your services.
| |
| * ''Errors and omissions (E&O)'': This covers your organizations from, essentially, breach of contractual obligation. In the case of cloud, this would mean the CSP failed in the performance of their services by, e.g., allowing a breach of the organization's cloud data.<ref name="FlorescaCloud20" /> Coverage includes legal defense costs or other indemnification as a result of a dispute with not only a CSP but also one of your customers.
| |
| | |
| Ultimately, it's up to you, the organization, to decide how to approach cloud-inclusive cyber insurance. Does your organization consider acquiring this type of insurance? Can your organization supply all the information a potential cyber insurance underwriter may ask for as part of the process? Do your potential CSP candidates have their own cyber insurance, and what does that insurance address? In the end, despite applying significant effort to your organization's approaches to risk management and security controls, the organization will need to look at costly risks as a matter of "when," not "if." If the potential consequences would be too detrimental to the organization, cyber insurance for your cloud expansion may be due. Just know that acquiring that insurance won't necessarily be straightforward.
| |
| | |
| ==References==
| |
| {{Reflist|colwidth=30em}}
| |
| | |
| | |
| ==Citation information for this chapter==
| |
| '''Chapter''': 3. Organizational cloud computing risk management
| |
| | |
| '''Title''': ''Choosing and Implementing a Cloud-based Service for Your Laboratory''
| |
| | |
| '''Edition''': First edition
| |
| | |
| '''Author for citation''': Shawn E. Douglas
| |
| | |
| '''License for content''': [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 International]
| |
| | |
| '''Publication date''': August 2021
| |
