Entrusting sensitive data to third parties has always been a heightened concern for most companies, especially those who outsource a significant amount of sensitive information.
The vast majority of companies outsource at least one critical application to the cloud, which create centralized treasure troves of valuable data for hackers to exploit. Often overlooked, however, is the impact that administrative errors or software bugs can have on the integrity, availability and confidentiality of the hosted data.
The benefits of outsourcing critical functions, including reduced cost and increased productivity, can never be discounted, but the information security risks are often not as easily identifiable or quantifiable.
Storing significant amounts of personal information in the cloud will likely trigger multiple legal privacy obligations on the company who utilizes the cloud-based solution, including a requirement that the company has taken steps to ensure the service provider has an adequate information security program in place.
Latest data leakage
In late February, a company that provides internet content delivery and cyber security services for approximately 4 million companies announced that a software bug was responsible for data leakage on a number of its hosted websites.
Cloudflare is currently used by at least 5 million websites globally, and although the full impact is yet to be determined, investigators have already identified sensitive leaked information, stemming from private messages on major data sites to hotel bookings. The leakage has been dubbed “Cloudbleed” in the cyber security industry circle, the successor to Heartbleed, a similar security bug disclosed in April of 2014.
The company has so far estimated that the bug was triggered over 1,200,000 times between September 22nd, 2016 and February 18th, 2017. Some of the leaked data has been found through search engines, so Google, Yahoo, Bing and others are currently cooperating with Cloudflare to eliminate the sensitive data from the outcomes of searches.
Unlike a data breach, where sensitive data is usually compromised during a single incident or event, a software bug like Cloudbleed can repetitively release sensitive information to unauthorized parties unless dealt with quickly.
Vendor risk management
Cloudbleed is just the latest example that illustrates the importance of effective vendor risk management, particularly for companies that rely heavily on outsourced critical applications.
Most vendors will look to limit their liability, often significantly, in the event that they are responsible for a data breach involving sensitive information of their customers. A risk advisor can play a critical role in providing guidance to companies to effectively shift liabilities from the companies who are outsourcing sensitive data.
Atypical business interruption risk
In addition to liabilities associated with unauthorized disclosure of data, companies may also assume a significant business interruption risk through relying on the services of an outsourced provider. These companies should look closely at the scope and breadth of their dependent business interruption coverage to ensure it properly encapsulates their risk.
For example, typical dependent business interruption coverage will include losses arising from the introduction of malicious code or other targeted attack. However, insurance coverage for losses arising from system failure or administrative error may need to be negotiated separately.
Ultimately, the role of cyber and/or professional liability insurance policies is often critical to maximizing a company’s ability to swiftly recover loss arising from use of an outsourced application.
Guest blogger Robert O. Barberi, Jr. is Vice President, Team Lead – Cyber Security & Professional Liability for Willis Towers Watson, advises companies about cyber and professional liability risk. He has broad experience negotiating, structuring and placing network security, privacy liability and professional liability insurance programs, focusing primarily on companies with large, complex exposures. Rob is a regular speaker at industry conferences and has consulted with the U.S. Treasury Department regarding systemic cyber risks.