Companies using cloud computing to supplement or replace in-house data storage systems without a cohesive risk management strategy can expose themselves to substantial financial losses and reputational harm, cyber risk experts say.

Any migration of company data to the cloud should be preceded by a thorough assessment of the nature of the data, including the relative impact a loss or theft of that data would have on internal operations, business partnerships and client/customer relations, plus the capabilities, security protocols and interdependencies of potential cloud service providers, the experts said last week during a panel discussion at Business Insurance's 2013 Risk Management Summit in New York.

“One of the biggest problems we see is that there's no holistic approach to information security,” said Solange Gerhnaouti, director of the Lausanne, Switzerland-based Swiss Cybersecurity Advisory and Research Group at the University of Lausanne.

Panelists said those assessments ideally should include risk management, compliance and information technology personnel, and senior-level management and supervisors of departments in which employees are likely to use cloud-based services to transfer and store work-related data.

Unfortunately, panelists said, cloud risk analyses are more often than not compartmentalized, if they are conducted at all.

“The key data risk stakeholders within an organization often don't play well with each other,” said Doug Pollack, chief marketing officer at Portland, Ore.-based ID Experts Inc. “We view it as a team sport.”

Because most cloud service providers do not offer much in the way of contractual risk transfer and indemnification, panelists said, companies contemplating data management through cloud-based services also should carefully consider the availability of insurance to address potential financial losses stemming from a data breach or service outage. While many cyber risk policies cover first- and third-party liabilities in the event of a data loss, insurers can often deny coverage if a policy does not specifically mention cloud-based services.

“You want to open up your insurance policy and hone in on the definitions of your computers or your network if you don't see the word "cloud' in the policy,” said Scott Godes, a Washington-based attorney at Dickstein Shapiro L.L.P. “That will give you a good idea of how broadly your coverage will range in the event of a breach or a cloud-related problem.”