Cloud computing risks and how to control them
June 23, 2014
An interview with Jim Charron Jim Charron, CPCU Practice Leader, Technology Zurich North America, Middle Markets Commercial, talks about cloud computing’s biggest risks and how to help combat them.
1) What is cloud computing?
Cloud computing is a type of outsourcing of computer services. It is a remote subscription-based service where you can obtain scalable computing resources. Many of us are using the cloud for personal use with applications such as Netflix or Gmail and at work with Salesforce and other applications we may not even know are in the cloud.
2) What are the biggest/most common risks associated with using a cloud system?
Cyber security is a big concern and gets the most attention. Once a company starts using the cloud, it has changed their data security exposure and controls significantly. Cloud service providers generally offer a very high level of security protection but can also be a more attractive target for sophisticated hackers. If there is a successful breach of the cloud and the customer’s data is compromised, it is typically the data owner’s responsibility to respond to any regulatory or legal issues.
Compliance with foreign regulations comes into play for providers who have data centers outside the United States. There’s a risk you could lose access or privacy to your data based on a foreign governments data laws. You could also find different levels of security that are used to comply with a country’s data laws. Depending on the type of data sets you have in the cloud, this could be a significant exposure to loss of access to critical information.
Loss of access is a big risk too. When a company transfers their computing needs to the cloud, they are changing their business interruption risk too. The cause of the service outage could be from any number of sources like a cyber security event, a physical peril such as fire or water, force majeure, or other causes such as human error or utility outage. Regardless of what causes the downtime, for some users such as those deploying Software as a Service (SaaS) or other critical functions, the result can be lost income, additional expenses, and reputational damage.
3) What kind of protection should a user have to respond to these risks?
4) Are there gaps in protection? How can protection be improved?
The biggest gap I see is the lack of appropriate coverage for business interruption from physical perils to the cloud. Property coverage hasn’t kept pace with the transformation to the cloud. Traditional business interruption coverage is triggered off of property damage to an insureds property but with the cloud, the insured doesn’t own the computers and the location providing the computing resources can change. Then there are the exclusions in coverage often used for this exposure such as loss of utilities and contingent business interruption that can come into play. To properly insure BI from the cloud, coverage needs to respond to damage at any cloud facility and not be tied to insured property damage.
5) What is the #1 most important fact about cloud computing that you’d like people to know?
Physical perils such as lightning and other storm activity have caused clients more downtime than cyber-attacks.
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.