Thursday, 17 May 2012
New Risk Framework proves every cloud has a risky lining
The anticipated adoption of cloud computing by business could be hampered by a failure to properly understand and address the risks involved. This is the view of a consortium of risk, insurance, legal and technology advisers led by insurance broker Marsh, known as the Cloud Risk Forum, which has designed a framework it hopes will help businesses to more accurately assess and model the risks they face when moving to the cloud.
The Cloud Risk Framework was officially unveiled at Marsh’s annual Communications, Media and Technology Conference, held in Brighton, where a range of cyber-related risks were discussed, including data protection and social media. The main topic of debate, however, was what Fredrik Motzfeldt, leader of Marsh’s Communications, Media and Technology Practice, calls the ‘conundrum’ of cloud computing.
“Although it promises greater financial efficiency and productivity, the cloud brings an increased dependence upon technology infrastructures housed outside an organisation’s immediate control, a heightened sensitivity over the confidentiality of data, an increased scrutiny of IT decisions and an appreciable lack of risk assessment and quantification specific to the cloud,” he said.
According to Nick Hyner, EMEA Services Legal Counsel for Dell, a US-based computer manufacturer and provider of cloud services, the framework was designed to provide a structured approach to assessing the risks involved with moving to the cloud. “The value is the processes we have set out so people can have a more structured discussion rather than one based on fear and uncertainty.”
The framework consists of five stages: identification of key risk categories; types of financial impact; quantification; assignment of risk between customer and supplier and likelihood of event. “By using the framework, companies will be able to compare traditional and cloud models, quantify their risks and assign weighted values,” said Mr Hyner.
He accepted that the framework is ‘not the finished article’ but hopes it will be relevant to insurers, chief information officers and risk managers alike. “I hope they will be able to use the framework as a way to communicate the risks to their board members and to prevent lawyers getting bogged down in risks that may be insignificant.”
Despite Mr Hyner’s hopes for the future, the contractual side of cloud computing remains a current and complex issue, said Christopher Millard, Professor of Privacy and Information Law at Queen Mary University in London. After analysing more than 30 standard cloud computing contracts, Mr Millard concluded that some of the contracts were not fit for purpose, unsuitable or even illegal in some cases.
Millard compared such contracts to the early days of US software contracts where to break the seal of a shrink-wrapped piece of software was deemed to be an acceptance of terms and conditions and, consequently, an acceptance of liability.
Fortunately Mr Millard also said that cloud contracts are maturing. But a number of both legal and practical issues remain.
One issue surrounds unrestricted sub contracting for cloud services. For example, the service Dropbox—an online storage service—has no cloud infrastructure of its own and employs Amazon.com for this, but the user’s contract is with Dropbox.
Also, despite the virtual nature of cloud computing, physical location still matters from a legal and regulatory perspective even if it is unclear in many cases whose national laws apply in the case of a data protection breach.
And given that cloud computing is still an emerging area, the sophistication of providers is variable creating the risk that services or even providers may disappear overnight. “It is an extremely fluid area at the moment,” said Mr Millard. “But I think insurers will be instrumental in shaping how this industry evolves.”
The rate of technology change has added complication for insurers and risk managers alike. The Cloud Risk Framework took almost 14 months to complete, which may be relatively rapid in the world of insurance but is positively lethargic in today’s technological world.
Mr Motzfeld and his Cloud Risk Forum colleagues accept that the release of the framework is ‘a vital first step’, rather than anything final. But continual enhancements and adjustments based on the contributions of risk managers will be as important to its success as the initial efforts of the insurers, lawyers and technologists.
The Cloud Risk Framework drew a guarded response from the risk managers in the audience. Although there was a general appreciation of the efforts made to create more certainty and clarity, quantification of risk remains a problem. As a consequence risk managers are still finding it difficult to price any insurance they look to buy to cover any move into the cloud.
As one risk manager said: “We are still dancing around the subject even if we are dancing around the subject more thoroughly than we were before.”