Founded in 2011, the Milliman Risk Institute provides scientific-based thought leadership on all facets of enterprise risk management (ERM). Composed of senior risk executives, actuaries, and university professors, the Milliman Risk Institute Advisory Board meets semiannually to discuss ERM trends, research, and key topics.
In this blog series, members of the Milliman Risk Institute Advisory Board share their views on ERM research and development and how it can support business insights.
Cloud solutions provide many advantages for corporations looking to offload some costly in-house management aspects of their data to maintain its integrity and security. Cloud solutions also present challenges related to enterprise risk management (ERM) that continue to grow. Just a few years ago clouds were not even on the radar screens of most ERM programs, but that has flipped 180 degrees in the past year. Now, with all or part of their computing outsourced, many corporations are able to see some of the very serious risks.
Cloud risk starts with contractual risk. If you look closely at the contracts cloud services providers offer, most are nearly always one-sided to their favor. It can become incredibly one-sided, but information technology (IT) teams are in such need of the perceived advantages that they have just been checking the boxes and agreeing to these terms. Their motivation is to reduce costs, but now there are new issues.
For example, the cloud services provider may not have a duty to report a breach within an appropriate time frame. Many statements of agreement (SOAs) give no assurances about security controls, or safeguards. There’s no indemnity for negligence on their part in the event of a security failure. In fact, they often say the opposite—that if they screw up, you agree to defend and indemnify them.
The protocols are often unclear in the event of a breach. A breach is not necessarily a bad guy breaking in, it could be many things. It could just be some insider who did something by mistake, which led to your data being leaked out. Companies need timely notices concerning any breach of their data and may want the ability to forensically investigate a breach to report it to insurance companies and learn whether a claim can be filed and covered.
But cloud services providers might not notify you for six to eight months or longer. That can be a real problem if, say, the state attorney generals of 20 different states now have the ability to come after you legally. You are under certain specific requirements to report to them and to your customers should a breach happen. State attorney generals don’t care that you outsource. In their opinion, the onus is on you to make sure your cloud services provider notifies you in a timely manner when a breach occurs.
These issues and others like them are playing out right now in the cloud services sector, and they could cause you trouble because so much of it is happening on third-party networks. There could even be legal questions about who owns the data that is sitting in those systems. The bottom line is that insurance companies may be formally insuring ABC Company, but in effect they are also insuring ABC Company’s third-party cloud services provider. It is effectively a third-party network.
And here’s one more issue to think about. Cloud services providers often outsource to other cloud services providers. Even experienced IT teams are often left trying to figure out the spider web of where specific data actually is, who has access to it, and whether or not all those clouds have reasonable controls in place. Those are some important questions to address. Expect cloud solutions to continue to be a major ERM issue for some time, as companies continue searching for tools and processes to help demonstrate to a regulator, or to a court, that they have put some reasonable due diligence into reviewing their clouds and vendors. It’s turning out to be much easier said than done.
A cyber pioneer and thought leader, Mark Greisiger serves as the President of NetDiligence, a cyber risk assessment and data breach services company. In October 2015, Mark presented at the Milliman Risk Institute Advisory Board Meeting as a keynote speaker. His remarks were well-received and followed by a robust Q&A session. As part of this blog series, we invited Mark to provide some additional commentary to his speech and share his views on trending topics in ERM.