The shift to cloud computing is one of the defining technology transformations of the past two decades. Businesses of every size now rely on cloud services for critical functions: storing customer data on Amazon Web Services, running business applications on Microsoft Azure, collaborating through Google Workspace, accepting payments through Stripe, managing customer relationships through Salesforce. For many businesses — particularly startups and smaller companies — the cloud is not just a part of their technology infrastructure. It is essentially all of their technology infrastructure.

This transformation has profound implications for cyber risk and cyber insurance. The cloud changes what you own, what you control, and where your data lives. It changes the nature of the vulnerabilities your business faces and the types of incidents you need to prepare for. And it changes how your cyber insurance policy does or does not apply to losses that occur in or through cloud environments. Business owners who understand these changes are better positioned to obtain appropriate coverage and to respond effectively when something goes wrong.

How Cloud Adoption Changes Your Cyber Risk Profile

Moving operations to the cloud eliminates some traditional cyber risks while introducing new ones. On the positive side, major cloud providers invest heavily in physical security, infrastructure redundancy, and base-level security controls that would be difficult or prohibitively expensive for most small and mid-sized businesses to replicate. The servers running your cloud applications are located in hardened data centers with sophisticated access controls, power backup, and environmental protection that your office building almost certainly does not have.

On the other side, cloud adoption introduces a fundamentally different risk profile. When your data was stored on servers in your own office or data center, the primary way an attacker could access it was to physically enter your facility or breach your network perimeter. In the cloud, your data is accessible from anywhere in the world through the internet, which means the attack surface is dramatically larger. Attackers do not need to target your physical location — they can attempt to access your cloud environment from anywhere, at any time, through any internet-connected device.

The cloud also introduces concentration risk. If you store all of your data with a single cloud provider and that provider experiences an outage or a security incident, your entire operation may be affected simultaneously. In the pre-cloud era, a hardware failure in your server room was a serious problem, but it was your problem and your recovery was within your control. A cloud provider outage affecting hundreds of thousands of customers simultaneously creates a dependency on the provider’s own recovery timeline, which may not align with your business needs.

Shared Responsibility Models: What the Cloud Provider Secures and What You Secure

Every major cloud provider operates under what is called a shared responsibility model for security. The basic idea is that the cloud provider is responsible for the security of the cloud — meaning the underlying infrastructure, physical facilities, networking, and base software — while the customer is responsible for security in the cloud — meaning the data, applications, and configurations that the customer deploys on top of that infrastructure.

Understanding where your cloud provider’s responsibility ends and yours begins is critical, both for managing risk and for understanding your insurance coverage. Amazon Web Services, Microsoft Azure, and Google Cloud Platform all publish detailed documentation of their shared responsibility models, and while the specifics vary, the general principle is consistent: the provider secures the foundation; you secure what you build on top of it.

In practical terms, this means that your cloud provider is responsible for ensuring that the physical servers are secure, that the virtualization layer that separates different customers’ workloads is properly implemented, that the underlying network infrastructure is protected, and that the provider’s own software and services are patched and maintained. Your cloud provider is not responsible for whether you correctly configure the access permissions on your cloud storage buckets, whether you enable encryption for data at rest, whether you implement multi-factor authentication for your cloud management console, whether your applications deployed in the cloud have vulnerabilities, or whether your employees share their cloud credentials.

This division of responsibility has direct implications for cyber insurance. If your cloud provider’s infrastructure is breached due to a failure in their own security controls, and that breach results in the exposure of your data, you have a potential claim against the cloud provider — though the provider’s contract almost certainly limits its liability substantially. If your data is exposed because you failed to properly configure your cloud environment, that is your failure and your insurance claim, assuming the claim falls within your policy’s coverage.

Coverage for Cloud-Specific Events

Cyber insurance policies were originally written for an era when businesses operated their own servers in their own facilities. Policy language describing covered events in terms of your computer systems, your network, or your data systems may or may not clearly apply to data and systems hosted in a cloud environment that you access but do not own or directly control.

Most modern cyber policies have evolved to address cloud environments more explicitly, either through updated definitions that include cloud systems within the scope of covered computer systems, or through specific coverage provisions for cloud-based incidents. However, not all policies have kept pace with cloud technology, and older policies in particular may contain language that creates ambiguity about cloud coverage. Reviewing your policy’s definitions carefully is important.

Cloud configuration errors are among the most common causes of cloud-based data breaches, and they present a good test case for coverage analysis. A misconfigured Amazon S3 bucket — the service Amazon Web Services uses for cloud data storage — is one of the most documented causes of large-scale data exposures in recent years. When a bucket is misconfigured to be publicly accessible, anyone on the internet can access the data stored in it without authentication. Dozens of major data exposures have resulted from this type of misconfiguration.

A misconfigured S3 bucket exposure is generally covered under a standard cyber policy as a data breach — unauthorized parties accessed personal or confidential information, triggering notification obligations and potential liability. The fact that the exposure resulted from the customer’s own configuration error rather than from an attacker’s deliberate intrusion should not affect coverage, because cyber policies typically cover accidental exposure as well as malicious attacks. However, if the policy contains a self-inflicted harm exclusion or an exclusion for the insured’s own errors in certain contexts, this might be contested.

Business Interruption Coverage for Cloud Outage Events

When your cloud provider experiences an outage and your business operations are disrupted as a result, you face a business interruption loss. Whether your cyber policy covers that loss depends on how the policy defines the trigger for business interruption coverage and whether dependent business interruption coverage is included.

Standard cyber policy business interruption coverage is typically triggered by a covered security failure or network interruption affecting the insured’s own systems. If your own systems go down because of a ransomware attack, that is a straightforward business interruption claim. But if your systems are fine and it is your cloud provider’s systems that have failed, your systems are not down — they just cannot connect to the cloud services they depend on. Whether this scenario triggers your business interruption coverage depends on whether your policy covers dependent business interruption.

Dependent business interruption, sometimes called contingent business interruption, covers losses resulting from an outage at a third-party service provider that your business depends on. In the cyber context, this coverage is designed for exactly the cloud outage scenario: your operations are disrupted not because your own systems failed, but because a critical technology provider you depend on experienced an outage. Coverage for dependent business interruption is not included in all cyber policies — it is often an optional coverage that must be specifically purchased.

Even when dependent business interruption coverage is available, it may contain limitations that are particularly relevant to cloud environments. Coverage may be limited to outages lasting more than a specified waiting period — often eight to twelve hours or more — which means short cloud outages, even if disruptive, may not be covered. Coverage may also be limited to outages caused by a security incident rather than ordinary system failures, which would exclude coverage for outages caused by routine technical problems at the cloud provider.

The June 2021 Fastly outage, the December 2021 AWS us-east-1 outage, and multiple Azure and Google Cloud outages that have affected customers globally demonstrate that cloud provider disruptions are not hypothetical. For businesses whose operations are heavily dependent on a single cloud provider, evaluating dependent business interruption coverage should be a priority in the insurance program review.

Your Cloud Provider’s Security Commitments vs. Your Insurance Coverage

Major cloud providers make substantial security commitments to their customers, and many maintain certifications under standards like SOC 2, ISO 27001, and FedRAMP. These commitments are real and meaningful — the security investments made by AWS, Azure, and Google Cloud are genuinely impressive. However, a cloud provider’s security certifications and contractual commitments are not a substitute for cyber insurance, and understanding the relationship between the two is important.

Cloud providers limit their liability through their terms of service in ways that make full recovery for a cloud provider-caused loss extremely difficult. Amazon Web Services limits its liability to the fees you paid for the service in the preceding twelve months. Microsoft Azure and Google Cloud Platform have similar limitations. If a cloud provider failure results in the exposure of millions of your customers’ personal records, triggering regulatory investigations, class action litigation, and notification costs, your recovery against the cloud provider is likely capped at a small fraction of your actual losses.

Your cyber insurance policy, by contrast, can be structured to cover the full range of losses arising from a cloud incident, including notification costs, regulatory defense and penalties, third-party liability to affected customers, and business interruption, up to your policy limits. The cloud provider’s security certifications may be evidence of good practices, but they do not transfer the financial risk of a cloud incident to the provider in any meaningful way. That risk remains with your business, and cyber insurance is the primary mechanism for managing it.

Cloud Access Management and Its Effect on Security and Insurance

Identity and access management in cloud environments is both one of the most important security controls and one of the most commonly mismanaged. Cloud environments are configured through management consoles and application programming interfaces that are accessible from anywhere on the internet — which means that a stolen or compromised set of cloud credentials gives an attacker the ability to access, modify, or destroy your entire cloud environment from anywhere in the world.

The consequences of poor cloud access management can be severe. An attacker who gains access to your cloud management console can exfiltrate all of your stored data, delete your backups, modify your application configurations, or deploy ransomware across your cloud environment. These types of cloud-account-takeover attacks have become increasingly common and increasingly damaging.

From an insurance perspective, cloud access management is increasingly a standard area of scrutiny in cyber insurance underwriting. Insurers ask specifically about multi-factor authentication for cloud console access, privileged access management practices, and whether cloud accounts are regularly audited for unnecessary permissions. If your cloud access management practices are weak and a loss results from a cloud account compromise, the insurer may investigate whether this represents a misrepresentation of your security controls on the insurance application, which could jeopardize your coverage.

The practical implication is that implementing strong cloud access management — multi-factor authentication for all cloud accounts, principle of least privilege in permission grants, regular access reviews, and separation of duties for privileged functions — is both good security practice and good insurance practice. These controls reduce the likelihood of a loss and demonstrate to insurers that your cloud environment is managed responsibly.

Multi-Cloud Environments and Coverage Complexity

Many businesses operate in multiple cloud environments simultaneously, using different providers for different functions. A business might use AWS for its primary application infrastructure, Microsoft Azure for Active Directory and productivity tools, Google Cloud for data analytics, and Salesforce for customer relationship management, while also relying on dozens of SaaS applications that each operate in their own cloud environments. This multi-cloud reality is increasingly common, and it creates significant complexity for both security management and insurance coverage.

From a security perspective, a multi-cloud environment requires consistent security policies and controls to be applied across heterogeneous systems that use different tools, different management interfaces, and different security models. A security weakness in any one of these environments can create a pathway for an attacker to access data or systems across the entire multi-cloud footprint.

From an insurance perspective, the key question in a multi-cloud environment is whether your policy covers all of the cloud environments where your data and operations reside. Review your policy’s definition of covered computer systems or insured technology assets to determine whether it encompasses all of the cloud services you use. If your policy defines covered systems narrowly — for example, as systems owned or operated by the insured — it may not cover incidents involving third-party SaaS applications or cloud services that you use but do not directly operate.

Data Residency and Jurisdiction Questions

When your data is stored in the cloud, questions about where it physically resides are both a security matter and a legal matter. Cloud providers operate data centers in multiple countries and regions, and depending on how your cloud services are configured, your data may be stored in data centers in multiple jurisdictions simultaneously — sometimes without you being fully aware of it.

Data residency matters for insurance purposes for several reasons. If your data is stored in the European Union, your handling of that data may be subject to the General Data Protection Regulation, which imposes different notification requirements and potentially higher penalties than US state breach notification laws. If a breach affecting EU-resident personal data triggers GDPR enforcement, the costs of that regulatory investigation and any resulting penalties are covered by your cyber policy only if the policy’s regulatory coverage extends to international jurisdictions.

Similarly, if your data is subject to sector-specific US regulations — HIPAA for health information, GLBA for financial data, or FERPA for student records — the fact that the data is stored in the cloud rather than on-premises does not affect your compliance obligations. A cloud-based breach of health data triggers the same HIPAA breach notification and enforcement obligations as an on-premises breach. Your cyber policy should cover regulatory costs regardless of where the data was physically located when the breach occurred, but reviewing the jurisdictional scope of your policy’s regulatory coverage is important.

Practical Steps for Cloud-Heavy Businesses

For businesses that rely heavily on cloud services, there are several specific steps that strengthen both your security posture and your insurance position.

Begin with a cloud asset inventory. Know exactly what cloud services you use, what data is stored in each service, and how each service is configured. This inventory is the foundation of both your security program and your ability to accurately complete a cyber insurance application. Insurers are increasingly asking detailed questions about cloud usage, and accurate answers require knowing what you have.

Review your cloud provider agreements, particularly the security and liability provisions. Understand what your provider commits to do from a security standpoint, what certifications they maintain, and what they actually contractually guarantee. Understand the liability limitations that apply and how they compare to the potential losses a provider failure could cause your business. This assessment will clarify how much risk remains with your business even after relying on cloud provider security.

Work with your insurance broker to specifically address cloud coverage in your cyber policy review. Ask specifically whether your policy covers dependent business interruption for cloud provider outages, what the waiting period and coverage trigger requirements are, and how the policy defines covered computer systems in relation to cloud services. If your current policy has gaps in cloud coverage, discuss whether endorsements are available to fill them.

Implement strong cloud security fundamentals: multi-factor authentication for all cloud accounts, minimum necessary access permissions, encryption of sensitive data at rest and in transit, regular auditing of cloud configurations, and backup strategies that do not rely solely on the same cloud provider where your primary data is stored. These measures reduce both your actual risk and the information you need to provide to insurers to demonstrate a mature security program.

Finally, consider whether your incident response plan specifically addresses cloud incidents. Responding to a cloud-based breach or outage is different from responding to an on-premises incident in ways that matter — who you contact at the cloud provider, what forensic data is available and how to preserve it, and how your recovery options differ in a cloud environment. An incident response plan that has not been tested against cloud scenarios may leave your team unprepared when a cloud incident actually occurs.