Skip to Main Content Back to Top Let's Talk
Home Blog Cloud computing risk management: Cyber and E&O liabilities

Cloud computing risk management: Cyber and E&O liabilities

Young Caucasian male and female computer programmers working together on a computer at the open space office
Higginbotham H logo

The advent of cloud computing has revolutionized how businesses store, process and manage their data. However, this transformation also brings significant cyber and errors and omissions (E&O) liabilities that companies must consider.

A common misconception among businesses is that transferring data to the cloud shifts the associated risks to the cloud provider. But, in reality, companies retain most of these risks, so it’s vital for businesses to understand the critical risks that they face when utilizing cloud services and how to adjust insurance coverages and risk management strategies to better align with these liabilities.

Shared Responsibility Model for Cloud Services

In general, cloud computing operates on a shared responsibility model, which means that both the cloud service provider and the customer have roles in ensuring data security. Cloud service providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud may offer security infrastructures, but customers are responsible for securing their applications, data and user access. This division of responsibilities can create ambiguities in liability if a data breach occurs.

Data Ownership, Data Breaches and Legal Obligations

One of the fundamental principles in data security is that legal obligations rest with the data owner, i.e., the company that initially collected the data. When companies store sensitive data in the cloud, they do not transfer this legal responsibility to the cloud provider. For instance, if a data breach occurs, the company is responsible for notifying affected individuals, managing regulatory responses and handling potential lawsuits.

In the health care industry, entities supporting health care providers are subject to the same data protection obligations under HIPAA. However, this does not mean liability is transferred; it simply expands it to include business associates.

Cloud Computing Risk and Cloud Vendor Liability

Cloud providers typically limit their liability through service agreements. In terms of financial liability, these limitations could be as low as the fees paid over the past year – or even zero, in some cases – and may be restricted to direct damages, meaning that costs like regulatory fines, legal fees and reputational damage are excluded. Additionally, these agreements may not cover certain cloud security risks, such as security misconfigurations and vulnerabilities introduced by cloud environments.

Given these constraints, companies cannot rely solely on their cloud provider’s liability insurance. They must have their own comprehensive cyber insurance to help cover various breach-related expenses, including third-party liabilities and direct response costs.

The Role of Cyber Insurance

A well-structured cyber insurance policy is crucial in mitigating the financial impacts of data breaches and addressing cloud security concerns. These policies typically cover:

  • Notification Costs: Expenses related to informing affected individuals and regulatory bodies
  • Legal Fees: Costs of defending against lawsuits and regulatory inquiries
  • Business Interruption: Losses incurred due to operational downtime
  • Third-Party Liability: Damages claimed by third parties affected by the breach

Companies should also consider negotiating their cloud service contracts to require cloud providers to carry cyber insurance. This could help cover excess costs and reduce the company’s financial burden in the event of a breach.

Cloud Outage Insurance and Contingent Business Interruption

Some cyber insurance policies have started to limit coverage for losses due to cloud vendor outages. Companies that rely heavily on cloud services and cloud storage should look for insurance policies with contingent business interruption coverage, which can provide financial protection if a cloud service disruption impacts their operations.

Photo of Out of Focus IT Technician Turning on Data Server.

Technology Errors and Omissions Insurance in Cloud Computing

For cloud vendors, a data breach often results in errors and omissions insurance claims since the failure to secure data is usually considered a performance issue. E&O insurance, which may be bundled with cyber insurance for tech companies, helps cover the vendor’s liability to its customers. This may include costs associated with failing to protect customer data, which could lead to significant financial claims from customers seeking reimbursement for breach-related expenses.

Aggregate Exposure and Insurer Concerns

From an insurance carrier’s perspective, the aggregation of security risks in cloud environments is a significant concern. A single breach at a major cloud computing provider could result in claims from thousands of customers, likely leading to substantial payouts. Because of this, insurers are increasingly scrutinizing the cloud vendors their clients use to better understand and manage this risk.

Best Practices for Cloud Security and Risk Management

  • Comprehensive Cyber Insurance: Work with your insurance broker to make sure your cyber insurance policy covers potential breach-related costs, including third-party liabilities and business interruption.
  • Vendor Contract Negotiations: Require cloud providers to carry their own cyber insurance, request a certificate of insurance from providers and include indemnification clauses in service agreements.
  • Security Best Practices: Implement robust security measures, including encryption, multifactor authentication (MFA), access management controls and regular security audits, to help protect data stored in the cloud.
  • Contingent Coverage: Seek out cyber policies that offer contingent business interruption coverage to help mitigate losses arising from cloud service outages.
  • Regular Risk Assessments: Continuously assess and update your cyber risk management strategies to adapt to evolving threats and regulatory requirements.

Protect Your Business with Cyber Insurance

Utilizing cloud-based services and cloud computing solutions can provide significant operational advantages for many businesses. However, it also creates complex cyber and E&O liabilities, and companies must recognize that transferring data to the cloud does not transfer associated risks. By maintaining comprehensive cyber insurance, negotiating robust vendor contracts and implementing security measures, businesses can more effectively manage these liabilities and protect themselves from the financial and reputational impacts of data breaches.

At Higginbotham, we specialize in creating tailored insurance solutions that address your specific needs. Talk to one of our cyber insurance specialists today to learn how we can help safeguard your company from various business risks, including those associated with cloud services and data breaches.

Author: Corey Huey, Cyber Risk & Digital Asset Lead, Higginbotham

Not sure where to start? Talk to someone who wants to listen.

A great plan starts with a conversation. Let’s talk about what you need.

Let’s Talk

Request a Quote

Woman looking sideways to window in design office
Higginbotham H logo