Cybersecurity Insurance in the Cloud

With the cost of a data breach in the United States averaging $8.64 million, it’s not surprising tech stakeholders and organizations are turning to new insurance models to meter the risks associated with storing sensitive data in today’s cybersecurity landscape. In March, Alphabet Inc.’s Google Cloud business announced they will join Allianz SE and Munich Re AG in to integrate data about customer cyber risk into insurance policies.

As the WSJ reported, “Companies seeking cyber coverage can ask the insurers to take data on their security measures directly from their Google Cloud environments, and Allianz and Munich Re will use that information to create tailored cyber insurance policies based on how secure they are.” By working directly with cloud services providers, in this case Google Cloud, insurers hope to better understand the risk profiles of their customers to tailor coverage accordingly.

Google Cloud will help analyze organizations’ risk profiles with benchmarks created by the likes of NIST (National Institute of Standards and Technology) and the Center for Internet Security. Organizations will be assessed on factors including how they control access to sensitive data, how hardware and software resources are secured and how cloud environments are configured. Considering cloud misconfigurations remain the leading cause of a data breach, working directly with CSPs to understand how organizations are configuring cloud data as part of the audit process will go a long way to determine risk potential.

As the cybersecurity insurance space continues to mature, insurers will consider a broader range of security controls and technologies in their assessments. Undoubtedly, the sensitivity level of an organization’s data, as well as their ability to adequately obscure it, will play a key role in determining overall risk. Analyst firms like 451 Research are already reporting an increase in demand for effective obfuscation, and an increase of the adoption of new technology like Microsharding, as a result.

Microshard™ technology breaks data into fragments that can be as small as single-digit bytes before polluting and distributing shards to multiple locations to reduce the attack surface and eliminate data sensitivity. The technology has promising implications from a regulatory standpoint in that industry experts accept Microsharding as a means to reduce what is in scope for data sensitivity. As ISACA board member Robert A. Clyde explained in a recent whitepaper that addressed whether Microshard data need still be considered ‘sensitive’, “if the data has been shredded and scattered across multiple storage locations to the extent that a bad actor can’t extract a single credit card number or Social Security number, most contend the answer is no, which can dramatically reduce companies’ data protection burden and the cost of compliance.”

Already, cyber audit and assurance firms such as UHY Advisors see tools like Microsharding as an important means for reducing overall risk, stating, “In our opinion, Microsharded sensitive data is no longer sensitive. As a result, ShardSecure has the potential to lower cyber risks and compliance costs while maintaining compliance with the spirit of European and US data protection regulations.”

From lowering monthly premiums and mitigating breach fallout to generally elevating security standards, technology that can effectively reduce what is in scope as sensitive data has enormous impact potential in the cybersecurity insurance space. Organizations that have some of the world’s most significant sensitive data footprints are already adopting Microsharding to ensure data privacy and achieve defense in depth. For policy holders, insurers and CSPs alike, there is much to be gained from eliminating the data sensitivity that causes data breaches to be so damaging, expensive, and detrimental to organizations and their customers.