In a competitive global economy, it is essential for CFOs to be engaged in understanding technologies and how they are influencing business strategies and presenting new risks. Cloud services support a wide range of business activities, such as, communication, collaboration, project management, scheduling, data analysis, processing, sharing, and storage. Among the issues upon which CFOs should focus their attention are unvetted terms of service, unauthorized use of cloud-based tools and programs, and acceptable use policies for cloud products and services.
Use Care Before Accepting Cloud Service Contracts
The consumerization of IT is rapidly changing business landscapes as executives and employees alike seek the same efficiencies they have with their personal computing in their business computing activities. (This is evident in the popular bring-your-own-device trend whereby organizations allow employees to use their personal devices for use in the enterprise.) But risks for businesses abound in this environment, as many cloud services and mobile applications were designed with the individual consumer in mind, not the enterprise.
The risks start with the self-provisioning of cloud services which, to a large degree, commence with a credit card and a click of “I accept” on a web site, typically without any review of the cloud service terms and conditions. This can result in ambiguous provisions, limited access and control, sudden loss of service and data without notification, and privacy issues related to the mining of data stored, processed or shared on cloud service for resale to third parties.
Cloud service contracts must address important data privacy and security obligations as well as financial and regulatory compliance and litigation-related obligations. Currently, not all cloud vendors will negotiate terms of service because cloud services are typically based upon a commoditized approach, with high-volume, low-cost, standardized services offered to a large group of users. However, as is the case with most contracts, businesses with market leverage have been able to negotiate changes in standard terms of service.
CFOs should be aware that some employees may not fully appreciate the risks involved in contracting for cloud services, and are in the position to champion enterprise-wide education of employees about the use of cloud services and the process for contracting for such services. For those companies that have been able to effect changes in cloud terms of service, some of the most frequently negotiated areas include:
- Limitations on liability, particularly for outages and data loss.
- Availability of the cloud services.
- Security, Privacy and Regulatory.
- Lock-in and exit (including format for return of data on exit).
- Cloud providers’ ability to change service features unilaterally.
All CFOs do not necessarily sign off on these types of purchases, depending on the company’s processes and procedures. But all finance executives ought to possess an understanding of cloud service procurement, and supervise it, either directly or indirectly, because of the significant implications it has for the enterprise.
Track “Off Radar” Use of Cloud Services
CFOs also need to be aware that procurement of cloud services may be happening without the knowledge of the legal, accounting or compliance departments, denying businesses the ability to assess and mitigate the risks through the use of negotiated terms and conditions. For example, cloud data storage services that provide remote access to documents anywhere, anytime, on any device are commonly used in the workplace. Employees set up as personal cloud services accounts and then use them to store both personal and business data. The account can also be set up as a business account in the same manner, with the monthly fee simply appearing as an expense on the employee’s monthly expense report. CFOs and other business executives need to monitor employee use of such services, including DropBox, Base Camp and Google Docs.
Companies should also consider whether the convenience outweighs the risks of using popular cloud storage services, as there is potential for outside parties to gain unauthorized access to a company’s enterprise network using cloud storage synchronization services associated with an individual user’s account. Such access creates a data protection challenge as well as a way for malware to infect corporate networks. By staying aware of popular cloud services and how they are being used within the corporate networks, CFOs can better protect company data.
Develop Sound Cloud Computing Policies
CFOs that take initiative to implement appropriate policies related to the use of cloud services can make sure the services are deployed in a manner consistent with the company’s existing financial, compliance, risk management, record retention, employment and IT management policies. Cloud computing policies should establish expectations for employees when using cloud services in connection with institutional data and systems. These policies provide a framework for required behaviors, rules and responsibilities, and information classification and handling and should include criteria for:
- Conducting a risk/benefit analysis for cloud services.
- Consultation with appropriate data stewards, process owners, stakeholders and subject matter experts during the evaluation process.
- Identifying critical vs. non-critical operations and requiring consideration of “internal cloud” alternatives.
- Negotiating cloud services vendor agreements.
- Assessing vendor physical, technical and administrative safeguards.
- Conducting due diligence on viability of the vendor/service provider.
- Assessing the business’s exit strategy for disengaging from the vendor or service.
CFOs should also be aware of “mixed messages” that employees may be receiving about the use of cloud services. In some situations, companies may be reluctant to block use of employee-provisioned tools, such as cloud storage or cloud project management services, since the companies may not yet have their own solutions available to meet the business needs of their users. But rather than remain silent, and, in the process, potentially increase the legal risks to the company, CFOs and other executives need to engage employees in a discussion about when and where within the enterprise cloud services solutions can safely and cost-effectively be deployed.
Janet A. Stiven is a Member in the Chicago office of Dykema Gossett PLLC. She practices with Dykema’s Business Services Group, where she assists clients in an outside general counsel role as well as with strategic business and technology transactions.