Cloud Risk Management’s Time Has Come

In 2022, 80% of companies surveyed acknowledged that they had experienced at least one cloud security incident. Then, in mid-2023, 94% of companies surveyed reported that they were using at least some type of cloud service.

The popularity of moving IT to the cloud is undisputed, and the pace of cloud adoption is daunting. However, as companies move more IT services to the cloud, questions are being raised as to whether companies are prepared to manage cloud risks in areas including cybersecurity, data handling, intellectual property protection and governance.

“There are risks, and indeed more than half the organizations have had issues in the past year,” said KPMG in an article. “Among them are IT delays, data loss, productivity loss, application outages, regulatory compliance violations, and diminished ability to provide services.”

None of these are casual events. A cloud failure, or a major security or data breach, such as the recent ZeroedIn breach, can shake the reputation and even the very survival of a company. Yet many businesses don’t list cloud as a risk management issue.

Just what are the common risk management issues that companies do monitor and plan for?

Most revolve around dangers confronting the financial balance sheet, such as too many high-risk loans on the books if you are a financial institution, or too many suppliers in risky parts of the world if you are a manufacturer. Cyber breaches and IT disaster recovery have also become risk management concerns, but few organizations have extended risk management to their cloud services providers.

Related:Manage Risk to Foster Innovation in IT

It is up to the CIO to bring this issue forward.

Cloud Risks Companies Should Manage For

The risks that using cloud services present include IT concerns such as security breaches, poor service, data handling, and confidentiality. But they also extend to liability, compliance, and insurability.

Here is a point-by-point review:

Cybersecurity and cyber insurance risks. Cyber insurance is still an evolving area that sees insurance companies lagging technology advances. This is a risk in itself, because insurance companies may not offer or extend coverage for security breaches that originate in the cloud.

Companies might also be unprepared. Most have already extended their business liability coverage to include cyber attacks against their networks, edge devices and internal IT. So, they might feel that they are covered, even if a breach occurs in the cloud. Unfortunately, existing corporate cyber insurance policies may not extend to insurance protection for a cloud-based catastrophic cyber event that occurs in an outside cloud service that the insured company is using.

Related:Latest Okta Breach: Stolen Credentials and Third-Party Risk

It should also be noted that the standard contracts that cloud providers issue to their clients give assurances of “best effort” if a cloud security breach or a failure of service occurs, but these contracts seldom warranty that the cloud provider will assume financial responsibility for any losses.

Part of managing risk is being sure that you have insurance protection in place if a catastrophic event like a security or data breach occurs in the cloud. Your risk management strategy should include meeting with your insurance provider to ensure that your cyber insurance covers events that could originate in the cloud, as well as those in your on-premises IT.

The same goes for cloud-based operations like data handling and data safekeeping.

Intellectual property and IT ownership risks. If you subscribe to a SaaS (software as a service) cloud offering such as an ERP system, a CRM system, or an AI and analytics platform, do you know who owns the unique modules and reports that you develop on the platform for your own company?

Some cloud providers will say that since you used their platform, they are free to repackage and sell or distribute your work to others, while others will be willing to negotiate with you so that you can keep your own work proprietary and confidential, and that you can take it with you should you choose to move to another cloud provider.

Related:Getting Aggressive with Cloud Cybersecurity

There are large enterprises today that continue to run their systems on mainframes that run with dated operating systems because they developed proprietary “secret sauce” systems that give them a distinct competitive advantage in their markets. Companies will continue to develop competitive-advantage applications when their systems in the cloud. When they do this, they should know up front if they will own what they develop, along with identifying the risk of losing this intellectual property and what they can do to prevent the loss.

Companies should prioritize protecting their intellectual property in negotiations with cloud vendors as part of their risk management strategy.

Compliance risks. Industry-specific cloud platforms for healthcare, finance and other industry sectors pledge compliance to general security and privacy standards as well as to regulations that govern the particular industry sectors that they serve.

However, just because the commitments are there doesn’t mean that cloud security and governance are current, or that they match your own.

As part of ongoing risk management, IT should require cloud vendors to provide recent IT and regulatory security audit reports. When outside IT auditors and regulators pay visits to evaluate company security and regulatory compliance, the audits should include reviews of external cloud provider security and governance documents. This assures that everyone in the IT supply chain is compliant, and that there are no compliance or regulatory risks.

Final Remarks

The risk management issues that are emerging along with the cloud go well beyond IT. They should be incorporated into enterprise-wide risk management and should receive board-level reviews.

Here are the reasons for this:

First, many mission-critical systems and applications are being entrusted to the cloud. In moving them there, enterprises have no guarantee that existing business and cyber liability coverages are following them.

Second, by moving critical systems to the cloud, enterprises are removing themselves from direct oversight of security, governance, and regulatory compliance. This introduces greater risk.

Third, corporate risk management and the negotiation of business liability insurance in enterprises is not “owned” by the CIO. Corporate risk management and insurance coverages are often managed by the finance group, with direct oversight from the board and the CEO. It is time for CIOs to add IT and the cloud into corporate risk management and board-level visibility because there is just too much at stake.