The framework consists of five stages: identification of key risk categories; types of financial impact; quantification; assignment of risk between customer and supplier and likelihood of event. “By using the framework, companies will be able to compare traditional and cloud models, quantify their risks and assign weighted values,” said Mr Hyner.

He accepted that the framework is ‘not the finished article’ but hopes it will be relevant to insurers, chief information officers and risk managers alike. “I hope they will be able to use the framework as a way to communicate the risks to their board members and to prevent lawyers getting bogged down in risks that may be insignificant.”

Despite Mr Hyner’s hopes for the future, the contractual side of cloud computing remains a current and complex issue, said Christopher Millard, Professor of Privacy and Information Law at Queen Mary University in London. After analysing more than 30 standard cloud computing contracts, Mr Millard concluded that some of the contracts were not fit for purpose, unsuitable or even illegal in some cases.

Millard compared such contracts to the early days of US software contracts where to break the seal of a shrink-wrapped piece of software was deemed to be an acceptance of terms and conditions and, consequently, an acceptance of liability.

Fortunately Mr Millard also said that cloud contracts are maturing. But a number of both legal and practical issues remain.

One issue surrounds unrestricted sub contracting for cloud services. For example, the service Dropbox—an online storage service—has no cloud infrastructure of its own and employs Amazon.com for this, but the user’s contract is with Dropbox.

Also, despite the virtual nature of cloud computing, physical location still matters from a legal and regulatory perspective even if it is unclear in many cases whose national laws apply in the case of a data protection breach.

And given that cloud computing is still an emerging area, the sophistication of providers is variable creating the risk that services or even providers may disappear overnight. “It is an extremely fluid area at the moment,” said Mr Millard. “But I think insurers will be instrumental in shaping how this industry evolves.”

The rate of technology change has added complication for insurers and risk managers alike. The Cloud Risk Framework took almost 14 months to complete, which may be relatively rapid in the world of insurance but is positively lethargic in today’s technological world.

Mr Motzfeld and his Cloud Risk Forum colleagues accept that the release of the framework is ‘a vital first step’, rather than anything final. But continual enhancements and adjustments based on the contributions of risk managers will be as important to its success as the initial efforts of the insurers, lawyers and technologists.

The Cloud Risk Framework drew a guarded response from the risk managers in the audience. Although there was a general appreciation of the efforts made to create more certainty and clarity, quantification of risk remains a problem. As a consequence risk managers are still finding it difficult to price any insurance they look to buy to cover any move into the cloud.

As one risk manager said: “We are still dancing around the subject even if we are dancing around the subject more thoroughly than we were before.”

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Cyber News
• More Risk Management News