Indeed the anticipated adoption of cloud computing among businesses could be hampered by a failure to properly understand and address the risks involved.

This is the view of a consortium of risk, insurance, legal and technology advisers led by insurance broker Marsh, known as the Cloud Risk Forum.

This group has designed a framework it hopes will help businesses to more accurately assess and model the risks they face when moving to the cloud.

The Cloud Risk Framework was officially unveiled at Marsh’s annual Communications, Media and Technology Conference, held in Brighton last month, where a range of cyber-related risks were discussed, including data protection, social media and the cyber-related threats to critical infrastructures.

The main topic of debate, however, was what Fredrik Motzfeldt, leader of Marsh’s Communications, Media and Technology Practice, calls the ‘conundrum’ of cloud computing.

“Although it promises greater financial efficiency and productivity, the cloud brings an increased dependence upon technology infrastructures housed outside an organisation’s immediate control, a heightened sensitivity over the confidentiality of data, an increased scrutiny of IT decisions and an appreciable lack of risk assessment and quantification specific to the cloud,” he said. 

According to Nick Hyner, EMEA Services legal counsel for Dell, a US-based computer manufacturer and provider of cloud services, the framework was designed to provide a structured approach to assessing the risks involved with moving to the cloud. “The value is the processes we have set out so people can have a more structured discussion rather than one based on fear and uncertainty.”

The framework consists of five stages: identification of key risk categories; types of financial impact; quantification; assignment of risk between customer and supplier; and likelihood. “By using the framework, companies will be able to compare traditional and cloud models, quantify their risks and assign weighted values,” said Mr Hyner.

Mr Hyner accepted that the framework is “not the finished article”. But he hopes that it will be relevant to insurers, chief information officers and risk managers alike. “I hope they will be able to use the framework as a way to communicate the risks to their board members and to prevent lawyers getting bogged down in risks that may be insignificant,” he explained.

Despite Mr Hyner’s hopes for the future, the contractual side of cloud computing remains a current and complex issue, said Christopher Millard, Professor of Privacy and Information Law at Queen Mary University of London.

After analysing more than 30 standard cloud computing contracts, Mr Millard concluded that some of the contracts were not fit for purpose, unsuitable or even illegal in some cases.

And despite the virtual nature of cloud computing, physical location still matters from a legal and regulatory perspective even if it is unclear in many cases whose national laws apply in the case of a data protection breach.

And, given that cloud computing is still an emerging area, the sophistication of providers is variable, creating the risk that services or even providers may disappear overnight.

“It is an extremely fluid area at the moment,” said Mr Millard. “But I think insurers will be instrumental in shaping how this industry evolves,” he added.

The unveiling of the Cloud Risk Framework follows the launch of a cyber insurance security standard from UK-based IT assurance firm NCC Group that is designed to encourage a minimum level of security among firms wishing to purchase cyber insurance.

NCC formed a working group along with underwriters Liberty International, Zurich Insurance and CNA Europe, and Oval, the UK broker that specialises in technology insurance.

“A standard is badly needed and looks set to become a legal requirement in the future,” said Jacob Ingersley, European Underwriting Director, Technology and Cyber Risks at CNA Europe. “For insurers to be strict with companies in terms of physical security is standard practice,” added Rob Cotton, CEO at NCC Group. “The same significance must be extended to information security,” he added.

For risk managers, however, a number of issues around cyber insurance remain.

In Brighton, the introduction of the Cloud Risk Framework drew a guarded response from the risk managers in the audience. Although there was a general appreciation of the efforts made to bring more certainty and clarity to the risks around cloud computing, there is still a lack of quantification.

This means that risk managers are still finding it difficult to price any insurance they look to buy to cover any move into the cloud.

As one risk manager said during the event: “We are still dancing around the subject even if we are dancing around the subject more thoroughly than we were before.”

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Association News
• More D&O News
• More AIRMIC News
• More Cyber News