In Software as a Service (SaaS) environments, a major challenge regarding any data protection and compliance exercise is that you as the provider would not necessarily have any control as to what your customers place in the databases and systems you provide, and often there would be protection in place contractually that you are not going to be looking at their data either, except in the case of a support call or similar. This situation causes a major challenge for cyber insurance, let’s break down why.
Why do I need Cyber Insurance?
The quickest answer here is that there is a chance of a hefty fine in any sort of data breach, depending on the regulation you fall under (GDPR, POPIA and so forth). Fines in POPIA can range up to R10m! What people often don’t think about though are the costs involved in investigation of the breach, forensics, and sometimes reparations of some kind to the data subjects.
Investigations into even small data breaches can rapidly enter the realm of a few hundred thousand rand, something quite daunting for a small to mid-size business – where a lot of SaaS players play. Specialised forensics and auditing does not come cheap, and you shouldn’t kid yourself that it does – depending on your data subject you may have to appoint a specific provider. If they are a large enterprise customer you could be saddled with the bill from one of the big audit firms instead of a smaller, more affordable provider.
Another cost is potential reparations or protection for the affected data subjects. Recently when Cathay Pacific was breached, they offered all affected parties a year of identity monitoring through Identity1 Global Identity Monitoring, something that couldn’t have come cheap.
How does SaaS affect Cyber Insurance?
Part of calculating your premium for Cyber Insurance is declaring the number of records of personal information you have. Many insurers work on a cost-per-record manner of insuring you, and many of the breaches are monitored on the same metric. While working out how many records you have internally (for employees and so on) is relatively easy, this becomes nigh impossible in a SaaS environment.
When you are hosting a SaaS platform, you generally do not have control of what your clients place in your systems – as such, it becomes a nightmare to explain how many records you may have in your environments. While in the eyes of the law you can have agreements in place to limit your liability as a processor (as opposed to the responsible party/controller), there are conditions whereby there is a joint or transferred liability if you as the SaaS provider is found negligent or in non-compliance with the data protection regulations that your clients adhere to. There is a great read on this over at Michalsons.
How does one approach this?
For a start, cyber insurance may not be the insurance you need. As a provider of hardware, software, or cloud services, it is more likely that you will need Technology Professional Indemnity (Tech PI) insurance. This caters for the fact that you as the processor do not necessarily know how many records exist in your systems, and gives you the protection you need (and then some). In addition to a cyber component covering any breach you may have, the PI insurance also covers you in the event that your software or systems were at fault resulting in the breach. It covers your notification to data subjects, investigations, legal fees, and other general liabilities.
The big difference in Tech PI comes in the form that Tech PI insures the activity you’re performing, and not the records stored by that activity. This is a much clearer approach for a SaaS provider! The application process may be longer as your activities will need to be listed and sent to an underwriter, but it is well worth your while to consider it.
If you or your company needs assistance in complying with data protection regulation, why not reach out to Ross G Saunders Consulting. Through our network of specialists, we provide end-to-end data protection solutions from small businesses to enterprise level customers.