In the enterprise market much of the adoption for public cloud IaaS services so far has been driven by innovators and early adopters. One of the defining characteristics of these early adopters is their willingness to accept and manage risk. These risks can come in many forms, including technological, organizational, operational and financial. Financial risk around cloud adoption for enterprises is driven by two major sources – financial liability due to potential loss of data stored with the cloud service providers, and loss of potential revenue or business capability due to cloud service downtime.
On the surface, the idea of providing insurance specifically for cloud service providers to help enterprises address these business and financial risk would seem to make sense. During the IT outsourcing wave of the last decade, many service providers found they needed to buy insurance as they assumed the liability of operating their customers IT infrastructure. In addition cybersecurity insurance, which addresses the financial impacts of data security breaches, has been in the market since the late 1990′s. While some believe that cybersecurity also covers cloud services, cloud computing models are creating unique challenges and risks.
One of the big barriers to cloud insurance has been the lack of data on security incidents and resulting financial claims. Ironically the more breaches and security incidents that occur, the easier it becomes for insurers to offer coverage. With more data points both on incidents as well as the financial settlements that result, insurers are able to more effectively assess exposures, price risk and determine premiums. Amassing the required data points and analytics required is a function of cloud adoption and time.
It seems like we may have reached this critical mass, as evidence that a market for cloud insurance is emerging. Just last week Liberty Mutual, the third largest property and casualty insurer in the US, announced that it will be offering cloud insurance policies in partnership with CloudInsure, which will provide a data and analytics platform for assessing cloud service provider risks. In addition to Liberty Mutual announcement, cloud insurance capacity is starting to appear with other providers as well, including through the MSPAlliance which offers products for its members.
The emergence of cloud insurance products could change the enterprise cloud market in several interesting ways.
- Shifting the CFO / CIO balance of power - when a CIO claims that cloud services aren’t secure enough for their organization, it’s difficult for business executives to push back. The availability of cloud insurance products could help to change that dynamic. Just as insurance companies have strict underwriting processes and requirements for other types of products, so it will be for cloud. Cloud service providers and users will need to adhere to a set of policies, procedures and controls that meet the requirements of insurers. As it’s their money at risk, you can bet the underwriter’s standards will be high. With insurance products available, CFOs will now have third party validation they can point to around the security of cloud services. While the CIO still may have valid security or compliance concerns, the existing of insurance will change the dynamic of that conversation.
- Opening of new market segments – as technology markets mature, adoption becomes increasingly driven by more conservative buyers. While it doesn’t address the complete spectrum of risks enterprises face when they migrate to cloud services, insurance will make a segment of customers feel more comfortable migrating to public cloud models. We may end up finding that there will be certain segments of the enterprise market for which cloud insurance will be a requirement for doing business.
- Changing application migration dynamics – while most cloud service providers offer compensation for SLA violations today, to say most of them are toothless is probably an understatement. Customer acceptance of availability and performance risk is considered part of the trade-off for the flexibility and cost benefits of public cloud. Increasingly customers are expected to architect their applications for redundancy and resiliency, and for applications to failover to other service provider data centers or regions. Insurance may make it more palatable to migrate non cloud-architected applications to public cloud providers, assuming the business case is there.
How the cloud insurance market evolves will be driven by a number of factors. As the de facto leader in public cloud IaaS, any move that Amazon makes will be quickly followed by the market. Cloud service providers offering insurance at point-of-sale to customers could be another potential game-changer. Regardless of how it evolves, cloud insurance will likely play an interesting role in the enterprise cloud market.