Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Risk managers should select cloud providers carefully: Summit panelist

Reprints

NEW YORK — With few barriers to entry and low start-up costs, companies looking to put data in the cloud need to make sure their cloud service providers are viable and going to be there when they need them, a panel speaker said Wednesday at Business Insurance's Risk Management Summit in New York.

“The cloud space is an area where there are very little barriers to entry and the technology is cheap,” said Robert Parisi, network security and privacy practice leader at Marsh L.L.C. in New York.

On the flip side, there is the risk of being locked in and tied into a cloud provider's technology in such a way “that you can't move off of it,” said Mr. Parisi, adding he has had clients who can no longer retrieve their databases “because the technology was no longer there.”

Among other concerns, he said, are lack of scalability or robustness, unpredictable costs and the risk the cloud provider violates someone's intellectual property. If you are dealing with a start-up vendor, and “you're a Fortune 100 company, guess who's going to get into a lawsuit?” he asked rhetorically. International, regulatory and tax issues are concerns as well, he said.

Many of these risks are applicable to the cloud provider as well, although “obviously from a different perspective,” said Marcin Plonka, Newton Square, Pa.-based global risk manager for cloud provider SAP America Inc.

“We worry about making sure we can provide solutions in case there is a natural event or other disruption,” that there is “enough backup to make sure the services can be quickly recovered and provided without impacting clients' ability to do business,” Mr. Plonka said.

%%BREAK%%

As a cloud provider, SAP is also concerned about privacy, security and integrity issues, he said. “Another risk is compliance with the various laws in different jurisdictions. In the U.S., we have 50 different states” with 50 different sets of regulations, which makes compliance “extremely difficult,” Mr. Plonka said.

Richard J. Bortnick, a shareholder at law firm Christie, Pabarue & Young P.C. in Philadelphia, stressed breach prevention. “It's a lot easier to fix it before it's broken than to try to fix it after the breach event,” he said, adding costs can increase exponentially once a breach has occurred.

The first call after a breach should be to the insurer, who will have a panel of experts for services, including forensics, whom firms can call upon. An attorney should also be called, Mr. Bortnick said, adding he cannot stress enough the value of the attorney-client privilege, which protects the company in the event of subsequent litigation.

“You want basically to make sure the contract has built into it some idea” of the collaboration that will ensue in a worst case scenario,” said Mr. Parisi, discussing the issue of contracts with cloud providers. “When something bad happens,” a company's relationship with its cloud provider could become adversarial fairly quickly and lead to data access being blocked, he said.

But that issue can be avoided if beforehand you “engage in a very open, candid discussion with the cloud provider,” making sure you detail how you extract the data, deal with redundancies and ensure the services are robust and scalable enough, he said.

%%BREAK%%

Mr. Plonka said his firm wants to retain its clients, so it has an obvious interest in helping any client who has suffered a breach event ensure they “get whatever information they need to comply with the various laws and regulations.”

“We may not allow them to bring analysts into the data center to roam free, but we would certainly cooperate with the customer to make sure that whatever information they need to comply and make things right, we can provide to them,” he said.

Mr. Plonka also said the “days of non-negotiable contracts are pretty much over when it comes to sophisticated customers.”

Audrey A. Rampinelli, vice president of risk management at New York-based Loews Corp., moderated the session.

Read Next