Are Cloud Companies in Denial About Risk?
A little more than two years ago I wrote an article for BusinessWeek about a prediction by the analyst Mark Anderson about the potential for a catastrophe in the cloud. It’s only a matter of time, Anderson argued, before something goes terribly wrong with the entire notion of cloud computing, something so bad–a service would go down or a nasty hacker attack would expose or destroy data–that those more careful CIOs who resisted the cloud would end up looking smart.
It hasn’t happened yet, but Drew Bartkiewicz read it and became rather taken by the idea–so much so that he registered the Web domain name cloudcatastrophe.com. Once a regional sales manager for Salesforce.com, he had already drunk deep of the Cloud Kool-Aid. By the time he registered the domain, though, he was working in the insurance industry underwriting insurance policies for technology companies as vice president for cyber and information security risks at The Hartford.
His unique job history has led him to start asking fundamental questions about cloud computing and its business models that should if nothing else give some potential cloud customers pause and nudge cloud service providers–as varied as Salesforce, Amazon Web Services, Microsoft Azure and the like–to think about something they rarely talk about: Risk.
Don’t confuse this with security. Talk to the executive of any cloud provider, as I did recently with Adam Selipsky of Amazon, and you quickly find out that cloud providers take security seriously and they mean it, because without it they’re out of business.
Rather, the question is this: If a cloud catastrophe happens–critical, financially valuable data is breached or exposed or destroyed on a large scale–who’s financially liable for the damage to the customer’s business? Is it the cloud provider, who agreed to manage the data on behalf of the customer? Or is cloud computing still a use-at-your-own-risk sort of thing? The answer is, there is no clear answer. Bartkiewicz thinks the cloud computing industry will have to start answering it, and soon.
Bartkiewicz recently launched a new company called CyberFactors that aims to do two things. First it evaluates cloud providers for the risk they assume based on the amount of data they manage. Second, the firm helps develop warranties that cloud providers can offer to their customers and cloud policies for insurers so that both sides of the cloud relationship can be prepared for the worst. I caught up with him last week after he spoke at the Cloud Connect conference in Santa Clara, CA.
NewEnterprise: In a nutshell, what do you think is wrong with the cloud computing business models that are so popular and winning over so many customers?
Bartkiewicz: I’m an old Salesforce guy, so I was a big believer in the cloud, and then I got involved underwriting technology risk for insurance companies. I started to see some very interesting patterns emerge. The cost of failure is going up. So are the number of data breaches, and so are the laws imposing regulation on companies that handle data. Cloud computing companies are not being required to address in their models the implied financial liabilities they have on their balance sheet.
So where’s the implied risk you’re talking about?
If you take 100,000 customers of cloud computing companies, each is going to value their data in very different ways. Some use the cloud merely to track sales leads, others use it for trade secrets. Still others have identifying information on their customers. If a cloud company were to wind up suffering a catastrophic breach it would be in the long-term position of arguing with the customer over the value of the data compromised. The end result is a tremendous off-balance sheet liability, and shareholders and analysts who follow these companies aren’t connecting the dots. They need to be asking tough questions about this.
So where do you come into the picture?
Right now the thinking among the cloud companies is that any problem created by technology can be solved by more technology. They talk a lot about security, and they’re serious, but this isn’t a security issue. There’s not an industry in the world that doesn’t disperse risk through the means of insurance. I don’t mean to suggest that the cloud companies need to get insurance. What I mean is that they need to make insurance easy to get and affordable for their customers.
Wouldn’t something like risk be covered in a service-level agreement?
Right now the norm is that cloud companies cap their indemnification at the value of the contract. So if you spend $10,000 a year on a cloud application, the maximum you can get in the case of a breach is $10,000. But the data in question could be worth many times that. The average cyber-incident in our models costs $4.5 million.
And what does Cyberfactors actually do?
It’s a risk quantification tool. Companies that have cyber risk on their books today, whether or not it’s in the cloud, can make better informed transactions with cloud companies. Companies who use cloud computing need to know who absorbs the cost to fail, given the cost to fail is going up. There is a record number of class action lawsuits over privacy breaches, and regulators are imposing a lot of costs that result from a breach that have to be absorbed. This is a global problem in terms of data liability. Second, we have a platform called Cloudinsure.com that tries to “mash” cloud computing with insurance. Cloud computing needs massive risk transfer in order to save itself from itself.
So what companies are you working with?
I can’t say, but I can say we’re working with two cloud companies right now to help them design warranties. We just launched the company. And if a cloud has too much risk, and the warranty approach doesn’t make sense, we can also design insurance policies and then bring in the insurance companies to help back it.
What do the cloud companies think of this? Have you taken the idea to them?
I brought this concept to a cloud company. When I told them they need to disperse their risk, they said it would slow down the sales cycle. It was quite telling because the number one growth pattern for companies right now is denial.