Tuesday, 12 June 2012
A merry dance
‘What mankind can dream, technology can achieve’ is the corporate slogan of Japanese technology services company Fujitsu. A minor tweak, changing ‘dream’ to ‘picture in their worst nightmare’, would perhaps be a more adequate description of how the risk and insurance industry views technology currently.
IT security experts continue to stress that cyber threats remain largely the same as they did 10 years ago and that the human element is still more influential than sophisticated technology. But it is the role of technology in changing business models that concerns most risk managers.
Social media such as Facebook and Twitter are being increasingly accessed in the workplace and the propensity for staff to bring their own devices to work means many are bypassing the corporate network and creating new vulnerabilities.
And then there is cloud computing—a new take on the old outsourcing model that involves services based on the internet that promise significant financial savings and operational flexibility but also bring a new wave of cyber-related risks.
Indeed the anticipated adoption of cloud computing among businesses could be hampered by a failure to properly understand and address the risks involved.
This is the view of a consortium of risk, insurance, legal and technology advisers led by insurance broker Marsh, known as the Cloud Risk Forum.
This group has designed a framework it hopes will help businesses to more accurately assess and model the risks they face when moving to the cloud.
The Cloud Risk Framework was officially unveiled at Marsh’s annual Communications, Media and Technology Conference, held in Brighton last month, where a range of cyber-related risks were discussed, including data protection, social media and the cyber-related threats to critical infrastructures.
The main topic of debate, however, was what Fredrik Motzfeldt, leader of Marsh’s Communications, Media and Technology Practice, calls the ‘conundrum’ of cloud computing.
“Although it promises greater financial efficiency and productivity, the cloud brings an increased dependence upon technology infrastructures housed outside an organisation’s immediate control, a heightened sensitivity over the confidentiality of data, an increased scrutiny of IT decisions and an appreciable lack of risk assessment and quantification specific to the cloud,” he said.
According to Nick Hyner, EMEA Services legal counsel for Dell, a US-based computer manufacturer and provider of cloud services, the framework was designed to provide a structured approach to assessing the risks involved with moving to the cloud. “The value is the processes we have set out so people can have a more structured discussion rather than one based on fear and uncertainty.”
The framework consists of five stages: identification of key risk categories; types of financial impact; quantification; assignment of risk between customer and supplier; and likelihood. “By using the framework, companies will be able to compare traditional and cloud models, quantify their risks and assign weighted values,” said Mr Hyner.
Mr Hyner accepted that the framework is “not the finished article”. But he hopes that it will be relevant to insurers, chief information officers and risk managers alike. “I hope they will be able to use the framework as a way to communicate the risks to their board members and to prevent lawyers getting bogged down in risks that may be insignificant,” he explained.
Despite Mr Hyner’s hopes for the future, the contractual side of cloud computing remains a current and complex issue, said Christopher Millard, Professor of Privacy and Information Law at Queen Mary University of London.
After analysing more than 30 standard cloud computing contracts, Mr Millard concluded that some of the contracts were not fit for purpose, unsuitable or even illegal in some cases.
And despite the virtual nature of cloud computing, physical location still matters from a legal and regulatory perspective even if it is unclear in many cases whose national laws apply in the case of a data protection breach.
And, given that cloud computing is still an emerging area, the sophistication of providers is variable, creating the risk that services or even providers may disappear overnight.
“It is an extremely fluid area at the moment,” said Mr Millard. “But I think insurers will be instrumental in shaping how this industry evolves,” he added.
The unveiling of the Cloud Risk Framework follows the launch of a cyber insurance security standard from UK-based IT assurance firm NCC Group that is designed to encourage a minimum level of security among firms wishing to purchase cyber insurance.
NCC formed a working group along with underwriters Liberty International, Zurich Insurance and CNA Europe, and Oval, the UK broker that specialises in technology insurance.
“A standard is badly needed and looks set to become a legal requirement in the future,” said Jacob Ingersley, European Underwriting Director, Technology and Cyber Risks at CNA Europe. “For insurers to be strict with companies in terms of physical security is standard practice,” added Rob Cotton, CEO at NCC Group. “The same significance must be extended to information security,” he added.
For risk managers, however, a number of issues around cyber insurance remain.
In Brighton, the introduction of the Cloud Risk Framework drew a guarded response from the risk managers in the audience. Although there was a general appreciation of the efforts made to bring more certainty and clarity to the risks around cloud computing, there is still a lack of quantification.
This means that risk managers are still finding it difficult to price any insurance they look to buy to cover any move into the cloud.
As one risk manager said during the event: “We are still dancing around the subject even if we are dancing around the subject more thoroughly than we were before.”