By Sandy Codding, Managing Director and U.S. Commercial Errors & Omissions Practice Leader, Marsh’s FINPRO Practice
Innovations in technology, improved access to high-speed Internet, and a weak economy have cumulatively heightened interest in cloud computing. The term “cloud computing” generally means anything that involves delivering hosted computing services over the Internet. Here, the word “cloud” is used to refer to the Internet, which is most frequently depicted in diagrams as a cloud.
Cloud computing is an activity equivalent to that already provided by computer servers or mainframes within a company. To engage in cloud computing, organizations will work with a cloud vendor: They need not have expertise in or control over the technology infrastructure in the cloud supporting them. Resources such as data storage space, computer applications (e.g., customer relationship management programs), and computing (i.e., data processing) are shared by all of a particular cloud vendor’s customers.
A public cloud operates outside of a company’s computer network and is provided by a third party (the cloud vendor). An advantage of using public cloud computing is the device and location independence that it provides. Although the network infrastructure is off site and accessed via the Internet, users can connect from any location using a variety of electronic devices, including personal computers, laptops, tablets, and smart phones.
Use of public cloud computing can also be a part of a corporate business continuity and disaster recovery plan. Inasmuch as the network infrastructure is off site, a physical event at a company (e.g., earthquake or fire) will not affect network availability. As such, employees will not lose their ability to connect to the company’s network. At the same time, if a cloud data center experiences an outage, some cloud computing vendors have multiple data centers that can be accessed as substitutes, ensuring seamless network availability.
In contrast, a private cloud is typically within the company’s network and shared among the company’s internal user groups. A private cloud can be created with a third-party provider by segregating a part of the vendor’s cloud for the exclusive use of a customer, but this comes at a higher cost.
Typically, cloud computing customers do not own the physical computer network infrastructure; instead companies avoid incurring expenses by renting usage from a third-party provider. They consume computer resources as a service and pay only for resources that they use. Generally there are two billing methods: the utility model, which is essentially pay-for-use (this is akin to paying for gas, electric, or other public utilities), and subscription, which is a fee for access over a period of time.
There are a number of risks associated with using cloud computing. Perhaps the primary concern for most companies using a third-party cloud provider is data security. Yet, data security is likely to be stronger because the cloud vendor has more resources to devote to it. However, cloud computing users do relinquish control of data security.
Should a data breach occur in the cloud service provider’s computer network environment, it is likely that the cloud computing customer will still be responsible for the privacy breach response actions, including notification and provision of call center services and credit monitoring.
The cloud computing customer, however, may be able to bring a negligence claim (for failing to protect the data) against the cloud vendor. Further, certain organizations are subject to regulations that stipulate minimum standards for data security. These data security requirements are often a function of the industry sector in which an entity operates, or may relate to an entity’s status as a publicly traded company, private enterprise, or non-profit organization.
By way of example, the U.S. Securities and Exchange Commission mandates certain data security rules for certain classes of financial institutions. It is prudent for companies in highly regulated industries to seek confirmation that their cloud vendor’s security policies are in compliance with regulatory requirements imposed upon their particular industry group. In addition, cloud vendors should express a willingness to undergo security audits to verify compliance.
Another regulatory and compliance risk involves the location of the data stored in the cloud. Some U.S. regulations require that certain types of data be stored in the United States. Many cloud providers have multiple data centers including some located outside of the United States. Since data stored in the cloud is often spread across the cloud provider’s data storage infrastructure, specific care must be taken with regards to the storage location if this is a requirement.
Organizations involved with cloud computing must also be cognizant that U.S. laws governing copyrights and patents provide that a person or entity using an infringing product can be held legally liable for infringement. As cloud computing involves computer software, a cloud vendor not only faces the risk of an infringement action, but the cloud vendor’s customers may also be confronted with infringement claims.
Customers of cloud computing services are also concerned with “latency”—the performance level that the cloud vendor can deliver in terms of the time required to access data and applications—as well as the quality of the cloud vendor’s service. Notably, cloud computing may not be the proper solution for companies that require super-fast access to data and applications.
Errors and Omissions (E&O) Risks
Further, organizations that are service providers may expose themselves to errors and omissions (E&O) risks if they use a cloud vendor that cannot deliver performance levels adequate for the organization to meet its own customers’ requirements. The cloud vendor itself could be exposed to the extent that its performance levels or quality of services provided causes its customers to suffer financial harm.
Similar to expectations regarding performance levels of cloud vendors, cloud computing customers also expect access to data, computer applications, and computing services to be available at all times without interruption. Yet, unavailability of services can be caused by technology problems, human error, financial difficulties (e.g., bankruptcy), or litigation against the cloud vendor.
Technolgy and Financial Risks
From a technological perspective, consider that the cloud vendor may experience a problem with the technology in its data center or there may be a problem with the transmission line over which data is exchanged. In terms of financial difficulties, if the cloud vendor seeks bankruptcy protection it may well have to cease operation and liquidate the business, which would obviously require the customer to switch to a new vendor. This may result in a long service disruption, and, if the closing of the business is not orderly, it could also result in loss of customer data.
Even if the financial difficulties of the cloud vendor do not result in a filing for bankruptcy protection, reduced financial strength could result in a reduction in the investment in the computer network infrastructure, which would increase the risk of a service interruption or a network breach. In terms of litigation risk, if the cloud vendor is enjoined from doing business due to litigation filed against it, not only will the service be interrupted but the cloud customer also may lose access to any data stored with the vendor.
Mitigaging Cloud Computing Risks
Customers of cloud vendors are well advised to investigate the technological capabilities of those vendors as well their financial stability and litigation history. Before committing to a cloud computing solution, organizations are advised to take the following steps to mitigate their risk:
Consider the data and applications that are put into the cloud.
- Assess your organization’s own performance and availability requirements in comparison to the performance levels and availability of services offered by the cloud vendor (review historical performance data).
- Research the cloud computing service vendor/provider, including the level of data security (both network and physical), redundancy, recovery, capacity, data center quality, data center location, audit trail, financial stability, and litigation history.
- Examine the intellectual property used by the cloud vendor and obtain information that legally confirms its rights to that intellectual property.
- Seek contractual indemnification from the cloud computing vendor/service provider and negotiate the limitation of liability to the highest value possible.
Rate this Article
Leave a Comment