Fall 2013 Volume 23 • Number 4 Risk Management
Cloud Computing and
Risk Management
Cloud computing, which relies on shared networks (typically the Internet), allows users to access information anywhere, at any time. This decreases infrastructure costs while increasing productivity—and risk.
C
loud computing vendorsprovide IT resources—
whether applications,
processing or networks— over a wide-area network to anyone willing to pay. Cloud computing pos-es privacy and security challengpos-es similar to those in traditional com-puting, but amplified because the cloud computing buyer loses control of information as well as system components.
Cloud computing creates the fol-lowing areas of concern for buyers:
Risk Tip
A
s the one-year anniversary of Hurricane Sandy approaches, so does the deadline for filing a claim with the National Flood In-surance Program (NFIP). Typically, NFIP policyholders have 60 days after a flood to file a claim. The scale of damage wrought by Sandy prompted the Federal Emergency Management Agency (FEMA), which guarantees flood insurance policies, to extend the deadline to one year. This gives homeowners and business owners until October 28 to submit a formal proof of loss for Sandy-related flood damage.The U.S. Chamber of Com-merce’s Business Civic Leader-ship Center estimated that Hurri-cane Sandy had affected between 60,000 to 100,000 small business-2500 Renaissance Boulevard King of Prussia, PA 19406-2772 (610) 279-8550 Fax (610) 279-8543 www.theaddisgroup.com
THE ADDIS GROUP
Managing Risk • Fall 2013 Risk Management
Who? Who will control your data? When outsourcing to a cloud
vendor, you lose physical control over your organization’s data. You will want to know how your data is stored, protected and used, and who will have access to it. You will also want to know who owns it, particularly if your cloud service provider processes your data in any way. If you terminate your agreement with the cloud service provider, will you be able to obtain your data in an accessible, non-proprietary format?
What? What data privacy and security laws and regulations apply
to your organization? These laws and regulations vary by industry and by state. The cloud buyer retains ultimate responsibility for its own data and compliance with privacy and security laws and regulations. Can your vendor comply and respond appropriately to data vulner-abilities and breaches?
When? When do you need your data, and how soon?
Mainte-nance updates and service interruptions could affect access to your information. If you are considering migrating information that’s criti-cal to daily business operations to the cloud, consider how long you can do without it and what a service interruption could cost in lost productivity.
Where? Use of an in-house computing center allows an
organi-zation to know where data is stored and what safeguards are used to protect it. In contrast, many cloud computing services store data redundantly in multiple physical locations, which they usually do not disclose to clients. Some laws and regulations prohibit data from be-ing stored across borders. If such laws or regulations apply to your organization, how will cloud computing affect you?
How? How your employees access data in the cloud could put it at
risk. Plug-ins and extensions for Web browsers are notorious for their security problems. Many browser add-ons also do not automatically update, increasing the persistence of any existing vulnerabilities.
Smart phones and portable devices create other security prob-lems. Their small size and portability can result in the loss of physical control. Authorized users often ignore built-in security mechanisms, while knowledgeable unauthorized users can circumvent them to gain control over the device and data or passwords stored within. How will
es in the storm area as of late January 2013. Many of these busi-nesses have found that their business interruption coverage did not apply.
Business interruption coverage generally requires three things before coverage will trigger: 1) property damage must oc-cur, 2) due to a covered cause of loss, 3) at an insured location. Much of the damage and lost income from Hurricane Sandy re-sulted from flooding, which the standard business property pol-icy or business owner polpol-icy excludes. For information on flood coverage or business interruption coverage, please contact your representative at The Addis Group.
you ensure your employees can access data when they need it, where they need it, without putting it at risk?
To mitigate cloud computing risks, the National Institute of Stan-dards and Technology (NIST) offers the following suggestions:
Understand the public cloud computing environment.
Under-standing the policies, procedures and technical controls a cloud pro-vider uses can help you assess the security and privacy risks involved. You should also understand the technologies used to provide services and their implications for security and privacy.
Ensure that a cloud computing solution satisfies organization-al security and privacy requirements. Consumers should require, in
writing, a cloud provider to meet any laws and regulations that apply, including any that may prohibit the storage of data outside certain physical boundaries or borders.
Managing Risk • Fall 2013 Risk Management
Typically, a cloud service agreement is non-negotiable, with the cloud provider dic-tating all the terms of service. If you have par-ticular privacy or security concerns, however, you can request a service agreement negoti-ated with the assistance of your CIO and risk manager. Negotiated agreements can ad-dress an organization’s concerns about secu-rity and privacy details, such as the vetting of employees, data ownership and exit rights, breach notification, isolation of tenant ap-plications, data encryption and segregation, tracking and reporting service effectiveness, compliance with laws and regulations, and the use of validated products meeting federal or national standards.
Regardless of whether you negotiate a contract, you will want to review agreements for the following:
Y Data ownership and disposition. Agree-ments should clearly state that your or-ganization retains ownership of data and how long the vendor will retain your data after your agreement terminates. Con-sumers should require that a cloud pro-vider offer a mechanism for reliably delet-ing consumer data on request as well as providing evidence of deletion.
Y Legal. The judicial process sometimes re-quires defendants to provide access to information during the discovery process. If that information is in the cloud, it might need to be “frozen” to reflect its state as of a specific date. Can your vendor
sup-A
recent claims trend study found that cloud service providers and other third parties are responsible for ap-proximately one-third of cybersecurity vul-nerabilities and resulting cyber incidents. That fraction is likely to increase, since most companies have begun putting sensitive in-formation into clouds only in the past year or so. Some cloud service providers are now outsourcing this data to other cloud service providers, a trend that could create a “spider web” of liability in event of a breach.When they can, customers need to negoti-ate and specify in cloud contracts what losses are covered, by whom, and at what levels. How-ever, unless your organization is large and influ-ential, you may have little negotiating power.
Cloud service providers will not accept li-ability for losses to your data (property cov-erage). When they do accept liability to third parties resulting from loss or breach of your data, they usually limit it to the service they’ve agreed to provide. Traditional commercial general liability policies typically exclude data related risks; however, specialized cyber
insur-ance can protect your organization from data-related risks, including cloud computing.
Cyber insurance policies may include first-party coverage against losses such as data de-struction, extortion, theft, hacking and denial of service attacks. They may offer liability cov-erage that indemnifies you for losses to others caused by errors and omissions, failure to safe-guard data or defamation. They also offer other benefits, including regular security audits, post-incident public relations and investigative expenses, and criminal reward funds.
Insurers require organizations to maintain a level of security as a precondition of cover-age. Typically, an underwriting analysis will include a review of: 1. General risk exposure of the industry and business activities, 2. general risk exposure of the size of the company, 3. loss history, 4. years in business, 5. financial condi-tion, 6. extent of use of outsourced network se-curity services, 7. dependency on third-parties’ networks, and 8. in-depth analysis of network security. For more information, please contact us.
Cyber Insurance Covers the Cloud
Y Limits of liability. What level of liability does the service provider retain for loss or breach of your data? Does it have appro-priate insurance coverage?
Because an organization retains ultimate responsibility for the privacy and security of
we recommend cyber insurance coverage for organizations that use, store or have access to the personal identifying information of others. For more information, please contact your ac-count representative at The Addis Group.
Managing Risk • Fall 2013 Liability
M
ost of us prefer to keep ourpersonal financial dealings to ourselves. In social gatherings we are comfortable discussing our health (“My cardiologist is the best in the business.”), but not so much our wealth (“I have $5 million at Merrill, three homes worth another $4 million and five limited partner-ships worth that and more!”). Why then would we publish our balance sheet and air our family issues in public? It happens all the time. Just ask Tony Soprano, or rather James Gandolfini. He can’t reply now, but his will speaks for him.
Gandolfini, a New York State resident, died in June 2013 at the age of 51. The tal-ented actor left an estate estimated to be worth $70 million. Under the terms of his will, Gandolfini left the bulk of his estate to his sisters and his 9-month-old daughter by his second wife. That creates a combined fed-eral and New York state estate tax in excess of $30 million! The will divides the estate after all taxes, debts and fees are paid. The remain-ing 20 percent was left to his wife.
Taxes are not the only reason for a well-thought-out estate plan. It is evident from Gandolfini’s will that he cared very much for his family and friends. It is worth noting that the will was signed in December 2012—only six months before his premature and totally
unexpected death. It is never too soon to execute a proper-ly structured estate plan, but often it is too late.
Like most wills, Mr. Gan-dolfini’s provided that all of his “just debts, final expenses and taxes” be paid as soon as possible. Note that these “beneficiaries” take prefer-ence over family and friends. He then made several specific bequests to various friends
and relatives. Finally, he distributed the bal-ance or residuary estate to his two older sis-ters (60 percent), his daughter (20 percent) and his current wife (20 percent). Curiously, he chose not to take advantage of various trust techniques that could have preserved and protected more of his estate for his fam-ily and their eventual beneficiaries. Indeed, his 9-month-old daughter will receive her share of the estate (estimated at $8 million today) completely free and clear upon reach-ing age 21. You might want to be on that birthday party invitation list!
If losing nearly half your estate to taxes seems like a bad dream, it is not. It is the rule more than the exception. How we own and title our property and how we choose to keep or transfer it is a relatively complex
decision-making process. Most of our homes are titled jointly, as are many of our checking, savings and investment accounts. Our retirement accounts, life insurance and annuities are beneficiary-directed. Each one of these as-sets, however, is subject to several different potential taxes.
For example, how is a jointly owned home taxed for federal estate tax purposes? It de-pends! Joint with right of survivorship (JT-WRS) or tenants-in-common? How about that nice stock portfolio? Will you owe capital gains tax? Ordinary income tax? Federal es-tate tax? All of the above? Probably!
Retirement accounts are particularly chal-lenging. In most cases, the beneficiary is a spouse, and children are named as “contin-gent beneficiaries.” Leave the IRA to a
surviv-Where There’s a Will,There’s a Better Way!
If losing nearly half your estate to taxes seems like a baddream, it is not. It is the rule more than the exception.
Managing Risk • Fall 2013 Addis News
ing spouse—no problem. Leave the IRA/401k to children or a non-spouse—big possible problems.
Proper planning can resolve all these problems. A well-designed will combined with a revocable living trust provides privacy. Re-titling and transferring assets during life-time can have a huge impact on transfer tax-es. Former New York Mayor Ed Koch, a lawyer himself, passed away in February 2013, leav-ing an estate of approximately $11 million. Federal and New York State taxes are estimat-ed to be $2.5 million. He could have made lifetime exemption gifts of $5.25 million and annual exclusion gifts of $14,000 to each of the nine named beneficiaries of his will for an additional $126,000 of tax-free transfers. These steps would have saved his heirs over $600,000 in taxes.
One final note on planning. Mr. Gandol-fini did take advantage of one very effective planning technique. Several years earlier he established a separate, private trust for his 13-year-old son, Michael. The trust held, among other things, a $7 million life insur-ance policy on Mr. Gandolfini’s life. The pro-ceeds were paid to Michael’s trust, complete-ly free of any income, estate or inheritance or taxes or legal fees. Tony Soprano knew he was going to die someday. It comes with the territory.
If you would like a review of your current estate and income tax planning, contact John K. Heuisler, CLU, Financial Planning Solutions at The Addis Group. John can be reached at 610-233-4895 or at jheuisler@theaddis
Robert S. Bowen, Jr., AAI
John P. Linden
B
ob Bowen entered the insur-ance industry in 1985 and currently serves as vice president of business risk solutions at The Addis Group. His responsibilities include choosing the appropriate coverage and carrier for each Ad-dis Group client to protect their most valuable assets. To provide our clients with a full range of insurance solutions, from tradi-tional to alternative risk, The Ad-dis Group has developed relation-ships with a wide range of leadinginsurance carriers, including ACE, Chubb, Cincin-nati, Hanover, Hartford, Travelers, Westfield and many more.
Bob is an Accredited Advisor in Insurance and a member of the Northeastern Insurance Asso-ciation. His active participation in various indus-try seminars on topics such as disaster planning,
employment practices liability and professional liability keep him abreast of the changing nature of the insurance industry and its products.
Bob offers clients guidance through many complicated situa-tions as he translates how property and casualty insurance actually works. He enjoys his work tremen-dously, as it touches people’s lives in a time of need and gives him a very interesting intellectual puzzle to solve on behalf of his clients. Bob is a member of LuLu Country Club and an usher at Abington Presbyterian Church. He enjoys golfing, hiking, biking, playing tennis, coaching youth baseball and spending time with his fam-ily. Bob resides in Dresher, Penn. with his wife, Gretchen, and their two children, Matthew and Lindsay.
J
ohn serves as an assistant ac-count manager in the commer-cial insurance department. His re-sponsibilities are focused on client services, administrative support and policy maintenance for a num-ber of key commercial accounts, as well as underwriting new and current business.Prior to joining The Addis Group in June 2013, John spent ten years as an account executive
in the personal and commercial insurance depart-ment of an agency in Newtown Square, Penn.
A 2003 graduate of La Salle University, John
re-Department advisory board. While at La Salle, John produced and hosted two cable shows with their campus TV station, and served an internship with a local Philadelphia news station.
John is currently pursuing the Chartered Property & Casualty Underwriting (CPCU) designation. He is also a founding member of the Young Professionals Group for ‘Bringing Hope Home,’ which serves to help local families battling cancer.
John resides in Delaware County, Penn. He en-joys traveling, following Philadelphia sports teams
SmartsPro
M A R K E T I N G
The information presented and conclusions stated in this newsletter are based solely upon our best judgement and analysis of information sources. It is not guaranteed information and is not necessarily a complete statement of all available data. Website citations are current at time of publication but subject to change. This material may not be quoted or reproduced in any form, including copy machines or any electronic storage or transmission medium, in whole or in part, without permission from the publisher.
All rights reserved. ©2013 SmartsPro Marketing. Tel. 541-482-5189, toll-free 877-SMARTS7 • www.smartspromarketing.com
Managing Risk • Fall 2013
Preventing Privacy Breaches
T
hink about all the information you store on employees alone: Social Se-curity numbers, addresses, names of spouses and dependents, and possibly even medical information. Then there are custom-ers—do you have names, addresses, credit card numbers and expiration dates? Medi-cal or other personal information? If any of this information falls into the wrong hands, whether through error or theft, you have a liability exposure.The following quiz can help you identify security gaps. Correct answers are in paren-theses.
Y If you keep paper files, are they in locked cabinets? Are cabinets in an office with a locking door, inaccessible to unauthor-ized persons? (yes)
Y Do you keep the file cabinet key in the
top desk drawer? (no)
Y Do you shred documents containing personal information before discarding? (yes)
Y Do you use Social Security numbers as employee ID numbers? Do you print So-cial Security numbers on paychecks? (no) Y Do you train human resource, payroll and
benefits staff not to disclose personal information about other employees? Do you include this requirement in job descriptions for employees who handle personal information? (yes)
Y Do you train customer service, IT and other staff who have access to customers’ personal information not to disclose this information? Do you make this a condi-tion of employment? (yes)
Y Do you do background checks on any employee who will have access to others’
personal information? (yes)
Y Do you have appropriate firewalls, anti-virus and malware detection software installed on your servers and networked computers? (yes)
Y Do you regularly scan your computers and networks, and keep your protection services updated? (yes)
Y Is your network password-protected? (yes) Do you require employees to change their passwords regularly? (yes) Y Do you encrypt sensitive data? (yes) Y Do you require employees to report the
theft or loss of any mobile device that might contain sensitive files immediate-ly? (yes)
Y Does your insurance cover your organiza-tion for security breach liability? (yes) If you are not sure, please contact us for a policy review. 2500 Renaissance Boulevard King of Prussia, PA 19406-2772 (610) 279-8550 Fax (610) 279-8543 www.theaddisgroup.com