As companies increasingly shift their information technology resources to cloud-based systems hosted by third-party providers, they are finding that they cannot shift their liability from a data breach along with it.

Although the provider may pledge to protect sensitive information, the company that collects the data is statutorily liable for its security, experts say.

Fortunately, best practices are arising to help risk managers limit their companies' financial exposure to a data breach. These include contractual considerations that shift certain breach-related costs to providers, improved methods of assessing vendors' security measures, and insurance mitigating the financial impact of a breach that has occurred.

Getting in front of the issue is crucial, experts say, given the vast array of data now stored in the cloud, not to mention the firm resolve of cyber criminals to pry open the vault.

“As cloud services gain in popularity, related breach incidents will surely increase,” said Alan Brill, senior managing director of cyber security at New York-based security firm Kroll Inc.

So far, the number of data breaches of cloud vendors appears to be quite small, although not all incidents may have been publicly disclosed (see story, page 14). Nevertheless, Mr. Brill said many companies are ill-prepared to cope with the fallout from a breach.

“In many cases, organizations are making the decision to use cloud services without bringing in risk management or legal to weigh in with their expertise and opinions,” he said. “Important questions—like who can access our data, are we sure the data is secure, and will we be indemnified by the vendor if there is a breach—are not being asked. Thus, there may be no contractual responsibility on the part of the provider to make the company whole, post-breach.”

Mr. Brill is not alone in his concern. “It's a question of trust,” said Jay Heiser, vp of research at technology consultant Gartner Inc. “In the case of commercial cloud service providers, clients trust their data will be safe. But trust is a very superficial way to manage risk.”

Cloud risk management begins with an assessment of the types and range of information technology—the full IT infrastructure or just specific services—that a company wants to move to the cloud.

“There are two distinct service buckets,” said Robert Parisi, senior vp of broker Marsh Inc.'s FINPRO practice in New York. “One is "software as a service' and the other is "infrastructure as a service.' Each creates different risks. If a critical app is breached in a SaaS environment, it will slow down a company but not cripple it. If this happens in an IaaS environment, the potential for harm is much higher.”

%%BREAK%%

Once this decision is reached, auditing the security and performance reliability of different providers is vital. The most prevalent means, experts say, is to conduct an SSAE 16 audit, the new “attest” standard put forth by the Auditing Standards Board of the American Institute of Certified Public Accountants that replaces the SAS 70 standard. SSAE 16 requires a service organization to provide a description of its system, in addition to a written statement of “assertions,” i.e., the essential security and privacy requirements that the service organization will effectively “assert” to.

“SSAE 16 allows for an independent assessment by an independent auditor around the operational environment used to deliver the cloud platform, in terms of security protocols and how they are being enforced,” said Irfan Saif, a principal in the security and privacy practice of accounting firm Deloitte & Touche L.L.P.

Mr. Saif added that another security consideration is whether the provider is compliant with ISO 27001, a standard mandating specific technology security requirements, such as proper firewalls and encryption of data at rest and in transit.

In the future, buyers of cloud services also may find reassurance from the Security, Trust and Assurance Registry Initiative, which is being developed by a consortium of service providers. The initiative involves a self-assessment questionnaire taken by providers attesting to their security controls.

“The goal is to encourage transparency of security practices by providers and more of an "apples-to-apples' comparison,” said Mr. Saif, noting that Deloitte & Touche is a member of the consortium.

Still, as Gartner's Mr. Heiser points out: “The fatal flaw with security audits is that they cannot promise you that a provider is totally free of security vulnerabilities. It's easy to come up with a checklist for the known environment. It's what's next, securitywise, that is most worrisome.” Hence the wisdom in inking sound contracts with providers and buying cyber insurance to fill in the gaps, he says.

Once a cloud provider is selected, contractual negotiations commence. “The question to address in the contract is who is paying for what,” said Shawn Ram, national technology practice leader at broker Aon Risk Solutions. “State laws require the organization that collected personally identifiable information to be responsible for the cost of notifying people of a breach involving their information,” he said. “Studies indicate this can cost more than $200 per individual, a sizable figure when thousands of people are involved. You want to ensure in the contract that if a breach occurs, the provider will bear this expense and the cost of monitoring the credit of affected people.”

%%BREAK%%

Attorney David Navetta, a partner at Denver-based Information Law Group, advises the development of contracts with meaningful terms around incident response.

“When a breach occurs, you want to be sure the provider will conduct a proper investigation of what happened, ascertain the scope of the breach and its cause, and permit you to conduct your own forensic investigation to ensure you are getting the full picture,” Mr. Navetta said.

Mr. Parisi recommends that risk managers make sure that the provider has a professional liability insurance policy in the event of a lawsuit alleging negligence.

In most cases, contracts with providers fail to address clients' potential business interruption losses if they have to shut down for an indeterminate period while a security flaw is fixed, according to Mr. Heiser. At present, there is no insurance product for cloud providers to transfer this risk, given the risk aggregations involved.

“The potential losses for a cloud vendor that has thousands of clients whose businesses may be interrupted has thus far deterred insurers and reinsurers from absorbing this risk,” said Mr. Heiser, “but I believe this is a big opportunity for the industry.”

There is, however, a robust cyber insurance market to transfer first-party and third-party cloud-based data-breach losses, as well as business interruption and other financial exposures. The market has matured in the past five years to the point where several insurers offer free breach notification and credit monitoring of victims, Mr. Parisi said. The cost, meanwhile, is down about 20% over the last five years for roughly commensurate coverage terms, conditions and financial limits, according to Mr. Parisi.

Mr. Navetta, who formerly worked in the legal department of American International Group Inc., said cyber insurance is a valuable asset for companies migrating IT systems to the cloud.

“There is more competition and better pricing,” he said. “If risk managers haven't looked at this, the time to do that is now.”