International Computer Security Association Labs is working on a new initiative aimed at helping cyber liability insurance companies more accurately assess risk associated with cloud computing.

An independent division of Verizon, ICSA Labs has built a reputation around testing and certification criteria to measure product compliance and performance.

"We are teaming with the insurance industry to provide insurability certifications around cloud," explained Vinny Sakore, the organization's program manager for cloud security. "This is a focus for 2013, and we expect to go public with an announcement sometime during the first quarter."

[Related: Cyber Monday: Can the Internet Be Taken Down By A Massive DDoS Attack?]

Although cyber liability insurance has been protecting against risks associated with data breaches and network interruptions at the customer premises for several years, the advent of cloud computing has caused challenges in assessing the risk.

"The insurance companies are concerned with cloud providers for two reasons," explained Sakore. "First is the incredible amount of data that's being aggregated by these carriers. The second concern is that cloud computing companies typically won't assume any liability. So, the insurance company inevitably takes on more liability they would, even in the traditional outsourcing model."

In addition, the insurance provider not only is faced with liability associated with the cloud providers themselves but also carries risk from the customers of those cloud providers who also happen to be customers of the insurance provider.

"Let's say an Amazon or a Terremark each have a $250 million insurance policy with your company," said Sakore. "But let's say you also have a thousand customers working within that cloud provider, and each of those has a $100 million policy. Now you're talking about billions of dollars in potential liability, not just $250 million. Therefore, assessing the size of the risk can be difficult and complex."

The ICSA is currently grappling with this issue as well as a host of other factors that should be calculated into the risk assessments. Examples include privacy implications for data stored in transiting international borders, the effects of virtualization, how denial-of-service attacks are handled, and requirements for compliance through standards such as PCI and ISO-27001. These and other factors roll up into a score that the insurance company can then use as a tool for setting the price of coverage and related terms. Elements would be weighted differently, based on the relative importance.

"They also need to determine how much sensitive information is being stored by the cloud provider," Sakore continued. "This can change over time, so at the point of renewal, they will need to assess how much data, and what types of data have been moved to the cloud because your entire risk posture with that customer might have changed since the last time you engaged in this process. So it is critically important to monitor those types of developments."

NEXT: How Will This Affect Prices?

How all of this will eventually impact the cost of cyber insurance remains to be seen, according to Sakore.

"If there weren't other market forces at work, I would say that cloud computing could drive up the cost of insurance. At the end of the day it's about how much risk you are willing to assume. Some people just have to take the risk because they don't have the financial ability to purchase one of these policies. But, I suspect that might change too. I think the SMBs will be early adopters because cloud providers can often deliver better security than SMBs can manage on their own. This can apply downward pressure on price. And as more SMBs seek out this type of insurance, the law of supply and demand can apply downward pressure on prices, too."

The market for cyber insurance is mostly at the enterprise level, he said. But with 30 to 35 insurance companies in the market, creativity is beginning to take hold. Some smaller companies can get limited amounts of cyber insurance in the form of a rider to their Errors and Omissions (E&O) insurance. "It's a pretty aggressive market because there's a lot of people buying and a lot of people selling," he added.

PUBLISHED NOV. 27, 2012