Cloud computing contracts vary widely depending on the type of service being provided and the market to which that service is targeted. Cloud services that are inexpensive or free generally present the contract in the familiar “click-wrap” format that we all, at one point or another, have “agreed to” (but that we almost never actually read). Those agreements often are wholly in favor of the cloud service provider. On the other hand, larger cloud implementations representing considerable, strategic business decisions on the part of the customer (and considerable sales on the part of the cloud service providers) usually are accompanied by agreements that should be read, understood and negotiated to meet the right balance of risk and incentive for both parties. However, many of these large-scale implementation cloud contracts nevertheless are missing a critical term: the cyber risk insurance requirement.
Cyber risk insurance, or cyber liability insurance, provides coverage extending beyond the typical commercial general liability (“CGL”) coverage. For example, in the event of a data breach event, a cloud provider would find it difficult to convince their insurance provider to cover losses if the cloud provider was relying solely on CGL coverage. Cyber liability, on the other hand, is an insurance product specifically designed to address losses arising from incidents involving the delivery of information technology solutions. Cyber liability comes in a variety of flavors that should be customized for each cloud provider based on the nature of the cloud service being provided and the types of data stored in its servers. Ideally, cyber liability should include Errors and Omissions (covers claims related to the delivery of technical services), Media Liability (covers claims related to handling of media, invasion of privacy, and some intellectual property claims), and Fidelity Liability (employee crimes, such as intentionally leaking data or using personal information) coverage.
Without an appropriate insurance policy incorporating sufficient coverage limits for privacy or security breaches, those ubiquitous indemnity provisions may be ineffectual at best. Prospective cloud customers should require cyber liability coverage whenever possible and should work closely with the cloud service provider during negotiations to ensure that the appropriate mix of coverage and dollar limits are obtained based on the type of cloud service being offered.