The Unthinkable Risks of the Cloud

Can the small cadre of cloud-computing vendors respond to the needs of their clients
quickly enough to fix a breach?
David E. Wood, Contributor
August 27, 2013 | CFO.com | US
SHARE
inShare131
Email Print - Print +
Email this article
To
*

Please enter your email address
*

Subject
*

Comments
*

What message would you like to

Send Email

By mid-2013 meaning now cloud computing will be in use by about 80 percent of
about 600 companies with at least 500 employees each, according to a 2012 TNS
Infratest survey. The trend is undeniable: Data management and storage are moving
offsite to cloud computing vendors on a vast scale.
Touting cloud computing as a way to eliminate the costs of buying and maintaining on-
site information-technology assets, vendors offer it in the form of software as a service
(SAAS), a distribution model in which software applications are delivered to clients over
a web-based network.
Offered in comprehensive, fully-integrated form, SAAS can
serve the needs of entire companies through huge, web-based platforms. As cloud
computing rapidly becomes the delivery channel for software developers of all shapes
and sizes to get their products to market, offering applications in a cloud is now the rule,
not the exception.
Related Stories:
Empire State Tackles Bitcoin Head-On with Proposed Rules
Lessons Learned in Emerging Markets Resonate Elsewhere Too
The New Word on ERP
A relatively small number of vendors have the service capacity to
offer SaaS to big companies that want company-wide cloud computing. The barriers to
entry are formidable; only the best-capitalized vendors need apply. Although market-
share statistics are hard to come by, the list of companies large enough to offer cloud
computing on this scale is short: Microsoft, Amazon, Google, Salesforce, Rackspace
and not many others.
The concentration of data and virtual computing in the hands of relatively few vendors
raises an important risk for their clients. If the Internet-based systems of any one
vendor are hacked, the result could be security breaches and invasions of privacy
across entire industries in which their clients do business, creating liabilities on an
almost unthinkable scale.
Can this small cadre of cloud-computing vendors adequately respond to the needs of
their clients to quickly fix such a breach, restore services and, most importantly, cut off
the damage to these clients own customers?
How CFOs Use The Cloud

Why CFOs Should Oversee Company Cloud Initiatives

How the Cloud Will Be Capitalized

Clouds in the Forecast
Can the balance sheet of any one of these vendors protect its clients from such losses
and liabilities?
Could a company like Microsoft eliminate the risk of a virus being planted by a hacker in
its Azure cloud computing product?
If it cant, will its balance sheet as vast as it is be enough to protect its clients
against wholesale desertion by their customers?
Dont think such things cant happen. If hackers can penetrate the Department of
Defense, the risk that they will penetrate Microsoft or Google cannot be ruled
out. Compromise of just one of these vendors even one with a modest market share
conceivably could shut down, at least temporarily, a sizable slice of the U.S. economy.
Risk Aggregation
With such potential losses at stake, corporations are bound to think about hedging their
exposures via cyber insurance. Yet even as insurance companies rush to meet the
demand for cyber loss and liability insurance products, they worry about aggregation,
the excessive exposure of a single insurer to a single catastrophic event, as Erich
Bublitz recently pointed out in Carrier Management.
If the catastrophic event is a breakdown in just one of the handful of large cloud-
computing vendors serving Corporate America, it is likely that no single cyber insurance
tower could fully protect all of its clients.
A vendor would have to buy staggering amounts of insurance limits to cover all data
security and privacy liability exposure to its customers. Cyber insurers and reinsurers
worry about aggregation because a single catastrophic cyber breach at a single cloud-
computing vendor could wipe out an entire tower (a layer of coverage above a
companys primary insurance policy) of cyber coverage, much like a superstorm can
wipe out a whole region in its wake.
The aftermath of such a crisis would not be pretty. Some of the biggest companies in
the nation might be pitted against each other in competition for the vendors meager
(compared to the scope of the loss) insurance proceeds and, ultimately, its balance
sheet.
Shouldering the Burden Alone
To adequately manage risk, the clients of these vendors must recognize that as a
practical matter, there probably isnt enough cyber loss and liability insurance capacity
available to cloud-computing service providers to fully protect their clients in such a
scenario.
CFOs and risk managers can continue to request indemnity agreements from their
vendors to gain faster access to their assets in the event of a catastrophic liability, but
with a giant like Microsoft, this often isnt an option. Are there solutions available to one
of the 80 percent of companies that has migrated to cloud computing but wishes to
guard its business and its assets against a 100-year-flood cyber loss or liability event?
The short answer is this: The cloud-computing client must shoulder the burden, largely
alone, of protecting itself from liability to its own customers resulting from a vendors
security breach or confidential data disclosure.
The company may or may not be able to pass this expense on to the vendor in a
service agreement. Good cyber insurance is not inexpensive. Buying cut-rate
coverage from an insurance company inexperienced in this space, however, can lead to
nasty surprises when the insurer ends up learning how to adjust a catastrophic cyber
claim on the fly.
To protect itself effectively against this kind of claim, companies need to create a
coordinated effort between the risk and legal departments. Consider these
recommendations:
Choose a cloud-computing vendor carefully. The willingness and ability of the
vendor to stand behind its products and services should be just as important as the
functionality of those products and services.
Engage a broker that has special expertise in cyber insurance. Ask to meet the
brokers cyber risk team, and look for former underwriters of cyber loss and liability
programs coming out of insurance companies known for competency in this field.
Evaluate the cyber catastrophe exposures exceeding a vendors and the companys
own insurance programs. Thats a vital part of enterprise risk management.
David Wood (dwood@andersonkill.com) is co-managing shareholder of the Ventura,
Calif. office of the Anderson Kill law firm. He devotes his practice to liability and errors
and omissions coverage, professional liability insurance, crime coverage, primary-
excess disputes and the rights of additional insureds.