While the lure of financial savings has quickly driven the use of cloud-computing service in the corporate sphere, not many senior executives have really examined the risks of using the cloud or how to deal with them. Adding to the problem is that it has been hard to identify exposures and obtain adequate insurance coverage for the risk, experts agree.
Much of the risk has its origin in the increasing use of cloud-computing services. The 2012 Cisco Global Cloud Networking survey of 1,300 information-technology executives from 13 countries found that by the end of this year, 20% of companies will be using cloud-computing technology to deliver most of the software applications used by their businesses.
Easy targets, because IT isn’t a core part of their company’s functions, nontech executives at nontech companies are often being “aggressively encouraged” to use cloud solutions, Lori S. Nugent, co-chair of data security and cyber liability with Wilson Elser Moskowitz Edelman & Dicker LLP in Chicago, notes.
In particular, CFOs are being encouraged to outsource IT, often saddling their companies with a hard cost that tends to increase and complicated security issues. “It sounds easier to just let somebody else worry about that,” she says. “By going to cloud, the theory is that you can outsource all of that and that it’s more scalable, because you can increase or decrease the scope of service you have.”
The reality, however, is there are “substantial costs associated with moving to cloud” via outsourcing, she says. “It doesn’t mean you shouldn’t do it, it just means you have to be protected for those exposures — if there is a breach at the cloud itself.”
To be sure, mid- and small-size companies may not have the resources or focus to do IT well themselves, she says. “In that situation, going to [the] cloud can be smart, because you can get better IT services than you would otherwise be able to afford.”
Nugent adds, however, that “the bottom line is cloudier than is currently perceived when evaluating cloud.” When moving over to the cloud, it’s important not to presume that there will be no IT issues to be concerned about. A solution that may be effective, she says, is to “put some things in the cloud, but not everything.” She would be very reluctant, for example, to put sensitive intellectual property or research and development information on the cloud, which is “a shared environment.”
She also notes that CFOs would be wise to document the rationale for any decisions made to put sensitive information on the cloud. “It’s not a question of if there will be a breach, it’s when,” she says.
Nugent says strong coverage is now being offered at “fairly inexpensive cost” for cyber risks. A number of these policies include coverage for a company’s data that is held by vendors, such as one that does billing, she notes. Insurers include Lloyd’s and U.S. and European companies.
Fewer than 20% of companies are purchasing the coverage, she adds, and advises CFOs to work with their risk managers and insurance brokers familiar with the cloud to identify and mitigate the risks.
In the case of a data breach, she says, many policies respond to the breach costs, forensics, and other expenses. They also cover regulatory fines and penalties, as well as litigation costs, and a number also provide for coverage for public-relations services to address bad publicity surrounding a breach.
Robert Parisi, network security and privacy practices leader for Marsh, a big insurance brokerage, points out that a danger to some companies is that they may be using cloud services “so far down the food chain that they might not be entirely aware of it.”
The risk may simply involve executives having access to a cloud service provided by an outside vendor when they’re traveling, he says. Problems may stem from how the person gains access to the service — from an unsecure Wi-Fi connection in an unsecure physical location, for instance.
Other sources of corporate risk include outsourced payment-processing systems, actuarial tables, and credit confirmation. Parisi points out three reasons breaches may occur:
• A third party now has control over an element of the company’s operations/infrastructure.
• A third party may be connecting into the network either actively by reaching into it or passively, as when the company reaches out to a cloud provider that may itself be vulnerable.
• By accessing certain programs through the cloud, an organization’s IT staff may not have fully ramped up their understanding of the program to the same extent that it would have had the company hosted it internally.
Traditional property-insurance policies typically cover the loss and the extra expense associated with a business interruption only if the functioning of the company’s own property — in this case, computer systems — is interrupted.
What’s missing in this coverage is loss of income stemming from an interruption of outsourced services, costs incurred in procuring the services of a new cloud provider, and the costs of transitioning to a new provider. Costs incurred include the transition of software and data to the new provider, Parisi explains.
Ron Cooley, director of risk management for W.W. Grainger Inc., an industrial supply company, says his company uses multiple cloud services but does not have a specific cloud-coverage policy. “The challenge is that a lot of these policies are evolving because technology is moving so quickly,” he adds, noting that the exposures can also be much larger than the coverage available.
Caroline McDonald is a freelance journalist who has written about risk management and the insurance industry for more than 15 years. She may be reached at [email protected].