By mid-2013 – meaning now — cloud computing will be in use by about 80 percent of about 600 companies with at least 500 employees each,  according to a 2012 TNS Infratest survey. The trend is undeniable:  Data management and storage are moving offsite to cloud computing vendors on a vast scale.

Touting cloud computing as a way to eliminate the costs of buying and maintaining on-site information-technology assets, vendors offer it in the form of software as a service (SAAS), a distribution model in which software applications are delivered to clients over a web-based network.

Offered in comprehensive, fully-integrated form, SAAS can serve the needs of entire companies through huge, web-based platforms.  As cloud computing rapidly becomes the delivery channel for software developers of all shapes and sizes to get their products to market, offering applications in a cloud is now the rule, not the exception.

A relatively small number of vendors have the service capacity to offer SaaS to big companies that want company-wide cloud computing.  The barriers to entry are formidable; only the best-capitalized vendors need apply.  Although market-share statistics are hard to come by, the list of companies large enough to offer cloud computing on this scale is short: Microsoft, Amazon, Google, Salesforce, Rackspace and not many others.

The concentration of data and virtual computing in the hands of relatively few vendors raises an important risk for their clients.  If the Internet-based systems of any one vendor are hacked, the result could be security breaches and invasions of privacy across entire industries in which their clients do business, creating liabilities on an almost unthinkable scale.

Can this small cadre of cloud-computing vendors adequately respond to the needs of their clients to quickly fix such a breach, restore services and, most importantly, cut off the damage to these clients’ own customers?

[contextly_sidebar id=”225d40b1ea4c734d3fcd86492d67e426″]

Can the balance sheet of any one of these vendors protect its clients from such losses and liabilities?

Could a company like Microsoft eliminate the risk of a virus being planted by a hacker in its Azure cloud computing product?

If it can’t, will its balance sheet – as vast as it is – be enough to protect its clients against wholesale desertion by their customers?

Don’t think such things can’t happen.  If hackers can penetrate the Department of Defense, the risk that they will penetrate Microsoft or Google cannot be ruled out.  Compromise of just one of these vendors – even one with a modest market share – conceivably could shut down, at least temporarily, a sizable slice of the U.S. economy.

Risk Aggregation
With such potential losses at stake, corporations are bound to think about hedging their exposures via cyber insurance. Yet even as insurance companies rush to meet the demand for cyber loss and liability insurance products, they worry about aggregation, the excessive exposure of a single insurer to a single catastrophic event, as Erich Bublitz recently pointed out in Carrier Management.

If the catastrophic event is a breakdown in just one of the handful of large cloud-computing vendors serving Corporate America, it is likely that no single cyber insurance tower could fully protect all of its clients.

A vendor would have to buy staggering amounts of insurance limits to cover all data security and privacy liability exposure to its customers.  Cyber insurers and reinsurers worry about aggregation because a single catastrophic cyber breach at a single cloud-computing vendor could wipe out an entire tower (a layer of coverage above a company’s primary insurance policy) of cyber coverage, much like a superstorm can wipe out a whole region in its wake.

The aftermath of such a crisis would not be pretty. Some of the biggest companies in the nation might be pitted against each other in competition for the vendor’s meager (compared to the scope of the loss) insurance proceeds — and, ultimately, its balance sheet.

Shouldering the Burden Alone
To adequately manage risk, the clients of these vendors must recognize that as a practical matter, there probably isn’t enough cyber loss and liability insurance capacity available to cloud-computing service providers to fully protect their clients in such a scenario.

CFOs and risk managers can continue to request indemnity agreements from their vendors to gain faster access to their assets in the event of a catastrophic liability, but with a giant like Microsoft, this often isn’t an option.  Are there solutions available to one of the 80 percent of companies that has migrated to cloud computing but wishes to guard its business and its assets against a 100-year-flood cyber loss or liability event?

The short answer is this:  The cloud-computing client must shoulder the burden, largely alone, of protecting itself from liability to its own customers resulting from a vendor’s security breach or confidential data disclosure

The company may or may not be able to pass this expense on to the vendor in a service agreement.  Good cyber insurance is not inexpensive.  Buying cut-rate coverage from an insurance company inexperienced in this space, however, can lead to nasty surprises when the insurer ends up learning how to adjust a catastrophic cyber claim on the fly.

To protect itself effectively against this kind of claim, companies need to create a coordinated effort between the risk and legal departments.  Consider these recommendations:

Choose a cloud-computing vendor carefully.  The willingness and ability of the vendor to stand behind its products and services should be just as important as the functionality of those products and services.

Engage a broker that has special expertise in cyber insurance.  Ask to meet the broker’s cyber risk team, and look for former underwriters of cyber loss and liability programs coming out of insurance companies known for competency in this field.

Evaluate the cyber catastrophe exposures exceeding a vendor’s and the company’s own insurance programs. That’s a vital part of enterprise risk management.

David Wood ([email protected]) is co-managing shareholder of the Ventura, Calif. office of the Anderson Kill law firm. He devotes his practice to liability and errors and omissions coverage, professional liability insurance, crime coverage, primary-excess disputes and the rights of additional insureds.

, , , , , ,

36 responses to “The Unthinkable Risks of the Cloud”

  1. “If hackers can penetrate the Department of Defense, the risk that they will penetrate Microsoft or Google cannot be ruled out. ”

    So scary and oh so true. Hackers are very “gifted” people who can really threaten the security of the cloud. That’s why I still use backup for all my files…just in case….

  2. It looks attractive at the first glance. But, as a retired top engineer in the field of military communication theses Cloud service providers would have to pay me to have the privilège to store my data processing and storing capacities. It is really foolish, to say the least, to rely on a netwok infested with hackers and to put you in the hands of such voracious companies such as Google, Microsoft and their likes whose processing resources are not more protected than the US MoD. or the White House.

  3. I agree with “Mitch Medina,” “thepianist1221” and “Senechal Jean.”

    For two reasons:

    (1) What they wrote makes a lot of sense;

    (2) he he, if I were a hacker the first thing I’d probably do is assume an online identity with a seemingly benign pseudonym such as “Adam” or “chester” then post comments about how there’s nothing to worry about.

  4. An interesting corollary is that cloud services may develop faster in jurisdictions offering liability limitations to Cloud Providers, the cyber-equivalent of a financial tax-haven. Look out soon for the appearance of ingeniously-incorporated Cayman-Island-based cloud providers…

  5. You take your chances with a cloud service but prudence requires a good DR plan and a secure offsite backup site when disaster strikes.

  6. Remember, whenever you put your data onto someone else’s server, you cannot delete it or control it because of their server backup system. Even if you close your account with the cloud storage vendor, there could still be a copy of what you saved there somewhere in their system. This is not the same as putting your jewellery in a safe deposit box at a bank where you can empty it and there is nothing left in there. If the information is private and confidential, why would you store it in other people’s server? It is the responsbility of each company and each individual to backup and safeguard what is important and confidential. Putting it in cloud storage is just counter intuitive. Buying your owner server and setting up your own offsite storage is not that expensive or complicated.

  7. I’ve looked at clouds from both sides now
    your data’s “safe” but still somehow
    it’s past abuses I recall
    I really don’t trust clouds, at all.

  8. Nice one Joe :o)

    I think you’d have to be insane to trust cloud vendors and insurance is worse than useless because it lulls you into a false sense of security.

    The bell cannot be un-rung – just ask the NSA

    I’ve got data on google but nothing I care too much about
    Important stuff, you have to encrypt and take responsibility for storing it yourself.

    Tony the dinosaur

  9. Apart from the financial risks, there is also the downside that becoming a corporate cloud service user diminishes the competitiveness of your business in the market place because you are now using the very same software that all your competitors also use and you are subject to the very same limitations they are.

    No longer can you gain a competitive advantage by doing things smarter than your competitors. To a large extent this has already happened in service industries. Most services today are the same no matter which vendor you get them from. The differences are microscopic and merely cosmetic.

    If one company offers something, their competitors will also be offering it. If one company can’t offer something, none of their competitors offer it either. No matter where you shop, you are always buying the same product. Choice has become an illusion. The choice is in the nice packaging, the glossy brochures and the branding. No real choice exists.

    Expect this trend to continue as we move further into outsourced services. Its a race to the bottom where in the end only the lowest-margin highest-volume businesses will survive on tiny margins with low paid employees and high employee turnover, leading to high customer churn rates and ultimately high shareholder churn rates, which finally leads to high volatility in their share price, which then leads to more cost cutting, amplifying the effect.

    Its a vicious cycle.

  10. I do not understand how anyone can substantiate their alleged ownership of any confidential information once it is submitted to the cloud. How do you establish that the cloudster has preserved the integrity of your information? How many people and how much cloud support documentation and systems security reocrds do you need to present in a court to underpin your assertion that your precious information is your secure and confidential property? Might as well store your secrets in a tin under an oak tree. Cloud, Y2K, global warming, Obama, Central banks……the detritus of modern western civilisation.
    At least the Chinese neo-monarchist are making progress.

  11. It’s no surprise to me that the DoD was hacked. Google hires the best hackers in the world to try to hack their system. They even setup challenges to hackers to test their systems. The DoD on the other hand, has limited funding and suffers from funding cuts every time they cut the budget. So the DoD doesn’t have the money or the talent to throw at protecting their (our) data, at least not to the level of Google. Also, the DoD doesn’t have a billion dollar “brand” to protect…

  12. What is the atmosphere where clouds exist? Is it not by definition the surrounding gaseous environment of pressures and influences of heat and cold? Heat and cold (lack of heat) contrasts result in powerful storms at times. Similarly the definition of atmosphere can be defined as the influence, mental, or moral environment. Our post-modern philosophical world, seriously lacks more and more stable grounding in unshakable truth. In skillful, ingenious and the most suitable irony, humankind naturally moves not only their philosophies to “lofty beliefs” but also the essence of their work and personal information from the ground (which clearly at times can be shaken, but is generally more stable) to “the cloud” which is even more volatile to outward pressures (that’s the definition of atmosphere) and volatile changes from evil influences.

    Clouds are pretty on nice days, but tend to be very volatile to atmospheric (i.e. surrounding and pervading influences) conditions. Given the quick deterioration of the moral climate in this world, the cloud becomes that much more volatile and vulnerable.

    As the author nicely warns, be careful and wary of clouds – collections of information into larger clouds does not necessarily protect anything. Rather larger and larger clouds tend to produce the perfect storm.

  13. If we do a comparison between a safe deposit box where we keep our physical valuables and cloud storage where we keep our information valuables, some things immediately stand out. (Note: in both cases we have outsourced the management/security/privacy of our valuables to 3rd parties).The value of the contents in the safe deposit box generally are the contents themselves, i.e., your jewellery, physical money etc. A breach of security of the safe deposit box would most likely entail the actual physical loss of the items. The element of privacy does not really arise i.e., nobody would take the trouble to break into your box, just note down what you have in it and then leave. And, even if they did that, its very likely that evidence of their actions would be apparent. In contrast, cloud services deal with information valuables. There is no physical entity. From a security perspective, even if someone “destroys” your information valuable, you could most likely recreate them from backups!. However, the greatest threat for information valuables is from privacy breaches – data leakage. Your data could be in hands of your business rival and you would have no clue that they have it. You would never know if someone had taken a peek at your data and made copies of it. Of course, these things can also happen in internal Data Centres – but i feel that the risks with the 3rd parties would likely be higher. Why ? Staff don’t work for you directly – hence possibily lesser allegiance to your needs; Managing many different organisations data may be a challenge; single point of failure perhaps; other orgainsation’s rogue/faulty apps may indirectly affect you. These are just some possible reasons.
    But I feel that unless these providers can provide bullet-proof assurances on privacy, large organisations which can afford to run their IT shops would continue to abstain from jumping on the bandwagon.

  14. Some of the points in this article are valid – but some are screamers too:

    “A relatively small number of vendors have the service capacity to offer SaaS to big companies that want company-wide cloud computing”

    Sorry? We’re talking about delivering a business requirement that was most likely previously provided by an internal IT department – but as soon as we move that requirement to the cloud, there’s only a half dozen providers that can manage? Really?

    For what application is that – ERP? Email? CRM? Most of these applications would previously have been hosted on a relative handful of midrange or commodity servers internally, or have been happilly provided by ASP’s and Hosting providers for years.

    Most other centrally accessible apps I’ve seen in large organisations are either relatively vertical, or bespoke – they just aren’t built for parallel scalling under the SaaS/IaaS model that “cloud” implies. Nor do they usually need to be – not many businesses add and remove knowledge workers at the rate that make parallel scaliing architectures a requirement. In practice, that means again that these apps can generally run on a small number of VM’s provided by any platform provider that takes your fancy.

    Now – talk of security, backups, data retention etc all make sense – but they’re pretty much the same discussions that you’d have with any IT vendor – and a huge number of large businesses outsourced big chunks of their IT anyway.
    Moving to the cloud doesn’t need to be any different – talk to your vendor, have them agree to how they’re going to treat your data, and have them sign a contract to that affect.

    Does that make them immune to being hacked – off course not. But you weren’t immune to that when you hosted your own infrastructure – and if you’ve selected the right vendor (good luck 🙂 ) then your overall security has improved.

    I would actually argue that for most businesses, a mid-sized hosting vendor is going to be your best bet. Large enough to have economies of scale and automation systems in place – small enough to care deeply about a relationship with your business, and to be willing to work with you on data retention, security and ownership issues.

    If you’re just throwing your data willy-nilly on to amazon or another hyperscale provider – well, accept that even a large organisations internal IT requirements are going to be miniscule at that scale, and you’ll be treated us such.

  15. Dear Mr. Wood,

    It would appear that you have done extensive research on this topic.
    However it would also appear you have absolutely no knowledge of what your are talking about.

    You state that these vendors offer cloud in the form of “SaaS”… Hmmm, wait a minute, SaaS = Software as a Service.

    Ok, true, SaaS is a form of cloud (also see; IaaS & PaaS).

    Yet, then you state that this is controlled by a “small cadre” of vendors, LIE!
    Facebook, instagram, twitter and MANY more, all fall under this SaaS category.

    The vendors you mention in the post and the way you are talking about “cloud” would suggest that you are actually referring to IaaS. On IaaS you are in control of you own virtual server, not unlike your own physical server.

    Please do more research OR consult someone with the appropriate knowledge before spouting a dystopian view on technology that has been around since (depending on your point of view) 2006.

    PS. hackers can hack into your small company’s network also… or even you home computer. General rule of thumb – if it has internet access, it can be hacked.
    E.g. car or perhaps the internet connected pacemaker. See

  16. At the end, Mr David s worry cause of if a big company such as Google, Microsofth is sue by their clients for a huge amount of money, that will desestabilize tha US economy, -at least temporarily- he says…
    Why dont you set up a maximun amount that would be paid in case of a problem?

  17. this article spreads more misinformation than information. cloud computing hosts YOUR software and runs it against on-demand computing resources. how does this mean everyone has the same software now? also, you could easily (relatively speaking) set up your own cloud, but it probably wouldn’t be profitable or competitive until you have plenty of clients to smooth out demand and get decent utilization of your hardware and expertise. big organizations already have private clouds, including private clouds that can spill over to a public cloud when demand exceeds supply. the reason why most organizations use one of the big cloud providers, is simply because they have a proven track record, and there is plenty of help and support available in online communities.

  18. Using Cloud as business strategy to provide capability to run operations does not in any way mean that we disown the responsibility. In fact, all best practices that you would otherwise employ in outsourcing must be employed including risk assessment, corporate responsibility, etc. As regards security breach, if someone has intention of getting into your data, they will want to irrespective of where it is hosted. I believe an established cloud service provider would have better money at its disposal to invest in security than even some big corporations just utilizing the scale. Good governance and engaging a cloud service provider that is right for your business is the key.

  19. Nice article!

    Security was one of reasons behind the hesitation in adoption of cloud. Even though the security is reinforced by the vendors, Risk aggregation is a very serious threat. Take for example the news related to iCloud. Nothing is impenetrable esp. in the digital world.

    David, you have raised valid concerns. We all need to take note of it.

    Thank you.

  20. David has raised serious areas of concern that should be of interest to cloud vendors, users, researchers and other stakeholders. Every breakthrough has its threats and risks. While the hackers go about their evil work, the world of cloud must keep working to pre-empt their threats, resist their attacks and make the cyberspace safe and secure as much as possible. We must not go to sleep, as the consequences of any lapse could be devastating on any economy.

  21. All software and hardware are designed with back doors since the very beginning. All countries participating in their development and production put their touch: US, Germany, Israel, Taiwan, China,Indonesia, is for that they score high in solving affairs or having an edge in conducting some business. If you analyze the start-up life, you will notice that attracting young competences from all other the world in a limited area, easy the plugging of creativity.

Leave a Reply

Your email address will not be published. Required fields are marked *