The Gap in the Clouds
Cloud computing is integral to modern business. According to market research firm Gartner, the global cloud service industry will be worth $180 billion by 2015, while cloudhypermarket.com estimated a third of all IT expenditures in 2013 would be on cloud computing.
The cloud network is maintained by nearly 35,000 data centers (cloud service facilities containing physical servers), about 25,000 of which are located in the United States. These facilities are extremely well protected, employing the very best physical and cyber security systems, and are usually located in secretive locations away from obvious natural perils.
However, these facilities still require traditional property coverage to insure against risks including flood, fire, storm, earthquake, sabotage, civil commotion and terrorism. If one or more major cloud service facilities were damaged, service could be disrupted and data lost, with far-reaching economic implications for businesses that rely on the service.
Last year, Superstorm Sandy shut down data centers in Manhattan, while Amazon suffered two separate power outages at its Northern Virginia cloud facility forcing many popular websites including Netflix, Instagram and Pinterest offline. But it’s not just media outlets that suffer — thousands of businesses are now actively using the cloud for business purposes, with basic data storage only accounting for 13 percent of cloud usage, according to research firm IDC.
Despite growing reliance on the cloud, Florence Levy, senior vice president and head of Lockton’s Global Technology and Privacy Practice, believes there is a gap in the insurance market that could leave cloud users uninsured for lost data or business interruption in the event of a physical event damaging a cloud facility.
“Traditionally, property policies address physical triggers and harm, while cyber and even errors and omissions policies are intended to address non-physical triggers and economic damage,” she said. “In the event of a physical trigger causing non-physical harm, property underwriters and cyber underwriters will be left pointing fingers at each other.”
According to Jim Charron, Technology Practice leader for Zurich, it is possible to insure data under a property policy, although coverage language often doesn’t capture the entire exposure. “Some [policies] are very clear that they cover computing resources and will specifically state that the coverage includes voice, data and even video, while others are not,” he said. “There are requests for this exposure to be covered and underwriters are responding, but the wording isn’t always reflective of the exposures.”
Charron added that underwriting becomes even more complicated when data is being held by a third-party on behalf of potentially millions of clients.
“Traditional property and business interruption risks already existed for insureds who maintained their computing resources within their own buildings, but with the use of the cloud those risks are subject to equipment not owned by the insured. Once the risk has been transferred to another party the insurance needs to change along with that,” he said. “I think there is an opportunity for insurers to refresh their approach.”
“People are starting to realize this may be a bigger issue than we had previously allotted for in the last couple of years. Savvy clients are asking a lot of questions,” said Levy, adding that brokers are trying to encourage insurers to develop enhanced coverage to ensure cloud users’ data is properly insured.
“The market is trying to figure out a way to address this, whether it is some sort of ‘difference in conditions’ policy that sits above the property and cyber policies, or more collaboration between the property and cyber underwriters and brokers to come up with a more effective solution,” she said.
Levy admitted, however, that creating some kind of hybrid product would be very challenging for insurers. “Cyber and property are two very different coverages with different profitability standards and historical data sets. The most likely solution is an umbrella or difference in conditions policy rather than stretching either set of underwriters beyond their comfort zone,” she said.
Another major challenge is aggregation of risk, with tens of thousands of businesses potentially facing disruption if any of the leading cloud providers went down.
“What is the aggregated business interruption and property damage exposure of one or several of these facilities if they were attacked all at once or there was a large weather event?” asked Charron. “If a major facility is taken down it could have a dramatic impact on the insurance industry.”
When in Doubt, Sue
Cloud users may have another form of protection. Robert Parisi, Network Security and Privacy Practice leader at Marsh, who places E&O and professional liability (PL) risks for cloud service providers, believes providers are vulnerable to PL claims, even if interruption or loss of data was caused by a physical risk rather than negligence.
“I don’t think there are gaps in coverage. If a cloud provider is unable to provide their service, it is going to come back at them as a PL claim. The end user is not going to care one whit why the cloud provider wasn’t there when they needed them — they just know they have a contract and the provider didn’t honor it,” he said.
Accordingly, cloud providers have to ensure their E&O and PL policy wordings are airtight in their response to ‘act of God’ type risks or even deliberate physical sabotage and terrorism risks.
“From an end user’s perspective, the principal recovery vehicle is going to be that PL policy, so the cloud providers and their brokers need to look under the hood of their policies,” said Parisi. “The market has evolved and is getting better at providing solutions, and the coverage is fairly broad. It is up to the broker to be aware those solutions exist and stitch them together for [the cloud provider].”
Parisi said PL claims against cloud providers are common, particularly in the litigious United States where cloud users also have very high expectations — anything less than 24-hour service at optimal speed could result in a PL claim, particularly from users whose businesses rely on real-time data feeds, he said.
“Tech companies are regularly sued for failing to provide service or failing to render the service non-negligently. Tech is not perfect, and when it goes wrong, usually the first thing a client of a tech company is going to do is assume the tech provider must have done something wrong,” he said.
“Not only is the cloud provider going to be held to rendering the service and having the service functioning as intended, there is also an element of latency risk; clients want their service working now, on demand, and without any delays.”
In order for the cloud providers to ensure they get adequate coverage against such claims, they must demonstrate high levels of risk management including building redundancies into their systems so that if one facility is damaged, the data can be switched rapidly to another network or facility without being lost.
“One of the large tech companies runs an entirely parallel network right next to their production network so if anything happens they can switch their customers from the day-to-day network to the parallel redundant network in the blink of an eye,” said Parisi.
“That’s an extreme example – most providers don’t have a parallel network. But if they are going to guarantee 100 percent up-time they need to make sure they have the facilities that can do that — and if that means geographically separating their data centers then that is what must be done.”
When it comes to liability for data loss or service downtime, much hinges on the service level agreement between the two parties.
“This agreement defines what level of liability the provider assumes. In that contracting process the provider can say they will deliver their service but there are things outside of their control, and if those things prevent the service the user will have to live with that,” said Parisi. “That won’t always necessarily fly in the negotiation process — in which case the provider may put liquidated damages or limitations of liability clauses with pre-agreed settlements or caps on liability into the contract.”
Parisi added that one of the best things a cloud provider can do to limit their liability is to manage the expectations of the cloud user.
“The quickest way for someone to think the provider did something wrong is for the provider to overpromise,” he said, noting that startup cloud providers are most susceptible to this as they aggressively compete for business.
Ultimately, though, cloud users must take responsibility for their own data — particularly if it is critical to their business. “Cloud users should take it as incumbent upon them as part of their risk management policy to ensure they have their data backed up, and most of them probably do,” said Zurich’s Charron. “The rub is if they are creating new data all the time and there is value in the creation of this new data being generated. Identifying whether data is confidential or mission-critical can help the user understand how often they should back up their data.”
Parisi said cloud use should be treated with the same common sense as any other enterprise risk.
“If you’re relying solely on a third party for the sanctity and security of your data, you are probably making a lot of other mistakes in your business,” he said.
More Time for TRIA?
It’s that time again. More than 12 years after 9/11, terrorism remains the most emotive of topics and it will soon take center stage once more, as the third Terrorism Risk Insurance Act (TRIA) is set to expire on Dec. 31, 2014.
Opinion is divided over the future of this federal backstop that protects the U.S. insurance market against a major terrorism loss.
Most believe the Act should be renewed, albeit with amendments. Yet, there remains a valid argument that TRIA has served its purpose and is no longer necessary. Terrorism risk, some say, is no different than any other catastrophe peril and should be insured entirely by the private market.
Under the existing TRIA program, a federal payout would be triggered by a terrorism loss of $100 million or more — a scenario fortunately yet to be tested since the Act was first implemented in 2002 and subsequently extended in 2005 and 2007.
Corporate insurance buyers and their brokers are certainly in favor of a federal backstop remaining in place in some form or other — after all, without TRIA, there is no way terrorism property cover would be as accessible and affordable as it is today.
“Since 2002, there has been a dramatic increase in terrorism property capacity in the marketplace and rates have decreased year on year,” said Rob Cruz, senior vice president of Hiscox USA, noting that the enactment of TRIA successfully brought an end to the price hikes and withdrawal of carriers from the market that occurred in the immediate aftermath of 9/11.
“If the backstop and the requirement of carriers to make this cover available were removed, we believe a substantial number of P&C carriers would simply decline to underwrite the risk,” he told Risk & Insurance®.
Impact on Workers’ Comp
“We have already begun to see the uncertainty over TRIA prompt some workers’ compensation carriers to pull back from certain parts of the market where they feel they have aggregated risk — large urban areas with high concentrations of buildings and employees,” he added.
Indeed, while the U.S. insurance industry now boasts a healthy surplus of P&C capacity, there is less confidence in the ability of the industry to foot potentially enormous workers’ compensation losses. Workers’ comp cover is mandatory, and most states, including New York, do not exclude terrorism. As such, capacity is stretched in dense urban areas containing many employees.
Will Farmer, terrorism underwriter for reinsurer Catlin, said that while property terrorism risk for a large office building is usually syndicated, the workers’ compensation policy covering the staff in the same building is often written by a single carrier.
“It’s hard to see small carriers continuing to write very large lines of workers’ compensation without TRIA,” he said.
Lloyd’s — the reinsurance market which carries more than half of the world’s stand-alone terrorism risk — was unavailable for comment, but stated in 2010 that it did not believe the private market would have the capacity or risk appetite to fill the void that would be created if TRIA was to expire in 2014.
“A significant loss event could act as a market turning event, causing the price of terrorism risk insurance to rise, or capacity to withdraw,” Lloyd’s said, noting that a number of underwriters had indicated they would exclude terrorism altogether if TRIA was allowed to expire.
David Frediani, president of Ironshore International, which offers a stand-alone terrorism policy with a limit of $300 million, said TRIA serves a purpose as a last line of defense against catastrophic losses that could arise from unprecedented events such as biological or nuclear attacks.
“This is something the insurance market simply cannot model or reserve for,” he said.
Meanwhile, Cruz said it may be time to analyze whether TRIA is needed on a line-by-line basis.
“I think the market is in a great position to handle property terrorism — theoretically, there is around $3 billion stand-alone terrorism capacity in the market. As far as workers’ compensation and liability are concerned — I’m not sure if we’re ready yet to be without TRIA,” he said.
“If there were a future attack, we would want as much clarity as possible so we know what would be supported by the federal government and what would be supported by the private market.”
– Peter Beshar, general counsel, Marsh & McLennan
An Industry Bailout?
But there are vocal quarters of the insurance and academic communities that say TRIA has run its course, and should be removed altogether.
David C. John, senior research fellow at the Heritage Foundation think tank, last year called on the House of Representatives for a “firm and short phase-out” of the Act, which he described as a “pre-approved bailout” for insurance companies.
He argued that, by allowing insurers to collect premiums without facing the true value of losses, terrorism risk is being underpriced and insurance buyers have no incentive to reduce their risk.
“There was a good reason to establish TRIA, but those days are gone,” he said.
In September 2013, Professor Robert Rhee reinforced that argument on behalf of the Cato Institute think tank, which released a detailed policy analysis of TRIA.
“If there was some ambiguity about the program’s need before, there is none now. Terrorism risk is not more severe than other insurable risks such as natural catastrophes. The private market is capable of underwriting this risk,” he said.
Natural catastrophes cost the U.S. insurance market $45.7 billion in losses between 2003 and 2012. Terrorism cost just $433 million.
Of the 20 most costly worldwide insurance losses between 1970 and 2012, 9/11 ranks fifth at $24 billion (according to Swiss Re) and the rest are natural disasters. Ten of the 20 costliest catastrophes were weather events occurring post-2000, yet these natural perils remain insured by the private market with no federal backstop, Rhee pointed out.
“It does seem strange that terrorism is the one peril that people feel needs to be fully insured,” said Catlin’s Farmer, who believes the private market is well equipped to handle a major terrorism loss.
“If insurers just want to write predictable risk, that’s not always helpful to the clients; the insurance market needs to step up and deal with unpredictable and difficult risks too,” he said.
Difficult to Model
TRIA advocates argue that although U.S. terrorism losses have been negligible since 9/11, it is impossible to know when, how and to what extent the next major attack will affect the United States, making the risk very difficult to model.
Even Rhee said that “without good data and reliable modelling, premiums must incorporate a substantial mark-up to ensure proper reserving for losses.” However, he argued, conclusions can be drawn from existing data to help insurers price the risk — such as the fact that high value economic targets tend to be concentrated in certain geographic areas.
Few would disagree that the current $100 million trigger for TRIA appears disproportionately low given the market’s ability to absorb multibillion dollar natural catastrophes each year with few problems. “There is no reason why the private market can’t cope with events that are much larger than $100 million — all that’s doing is giving corporate welfare to smaller insurers,” said Farmer.
Each amendment to TRIA to date has seen increased private market participation and the consensus is that the $100 million trigger point will be scrutinized if TRIA is renewed.
While Farmer speculated a new trigger loss would be around $500 million or $1 billion, Rhee suggested raising the private market deductible to as much as $50 billion — effectively reserving TRIA for a truly industry-shaking event. However, raising the trigger would be bad news for small carriers and particularly captive insurers, many of whom could not afford to take higher deductibles and rely heavily on TRIA.
Cruz also pointed out that, for major insurance carriers, the point at which the government participates in a loss would actually most likely be far higher than $100 million, because insurers have a 20 percent direct earned premium deductible on the prior year’s earnings on all applicable TRIA lines.
“Losses have to be huge before some insurers would see money back from the government. A higher retention would equate to no TRIA at all for some companies,” he said.
One element of TRIA most parties would agree on is that if it is to be renewed, more clarity is needed on the definition of coverage as the nature and scope of terrorist methods continue to evolve.
At present, any terrorist event over $5 million must be certified as such by the government, and the fact that the Boston bombing in April 2013 has yet to be certified is a cause for concern in the industry.
“Boston was the defining moment — we know the perpetrator went overseas, trained and made friends there; I doubt there’s a citizen in the U.S. who would argue that was not an act of terrorism,” said Joe Boren, chairman, Environmental, at Ironshore.
“If you’re a small or mid-sized business, you can’t afford to wait around for seven months or more while bureaucrats in Washington, D.C. make a decision — you will go out of business,” he said.
In his testimony to the House of Representatives on Sept. 19, Marsh’s Beshar called for a 90-day time period in which to determine whether an attack is covered by TRIA; clarification that TRIA will backstop nuclear, biological, chemical and radiological events if coverage is provided in the underlying policy; and modernization of TRIA to reflect new terrorist threats including cyber terrorism.
“If there were a future attack, we would want as much clarity as possible so we know what would be supported by the federal government and what would be supported by the private market,” he said.
“The certification of an event as terrorism is still very political,” added Cruz. “I feel this judgment should be made by an independent body, not bodies employed by the president.”
Indeed, it is ultimately politicians who will decide TRIA’s fate, and all three scenarios — renewal, amendment and expiration — are still very much on the table.
Cruz said he has spoken to Washington D.C. insiders who suggest the next renewal debate will see a “clean slate look at the Act.” Yet, according to Farmer, “even some of the most ardent TRIA supporters say you can’t rule out inertia in the government and polarization of Congress leading to the program lapsing.”
Although TRIA’s expiration date is still more than a year away, insurers need an indication of the Act’s fate sooner rather than later. After all, policies that renew in early 2014 will start their term with TRIA in place but could end up without any TRIA as of Jan. 1, 2015.
“Insurers writing terrorism lines could be caught in an awkward situation and put their balance sheets at risk if they continue writing this coverage without terrorism reinsurance or TRIA,” warned Cruz.
While there are no clear biases along party lines that could lead to TRIA being held hostage in Congress, Cruz said the geographical make-up of the decision-making panel could have an influence.
Beshar, however, said: “TRIA is not just a Northeast phenomenon; terrorism insurance is growing faster in the West than anywhere else in the country. This is a cross-sector issue that affects the whole country, and lawmakers realize the significance of TRIA to their constituents.”
Despite some compelling economic arguments for the removal or scaling down of the Act, the very nature of terrorism breeds extreme caution — fear of the scale and nature of the next attack; fear among politicians of appearing complacent; fear among insurance buyers over how the insurance market will respond to life without the TRIA safety blanket.
Indeed, psychology — perhaps even more so than economic risk itself — will be crucial in determining whether, and in what form, TRIA endures.