Cyber risks associated with using cloud providers

Cyber has been a focal point for many, if not all, companies across various industries in recent years. It’s an unavoidable part of business, and organizations are constantly striving to manage their own cybersecurity by mitigating any risks associated with it. As I navigate cyber liability renewals with my clients, one thing has become abundantly clear – there is a common misconception that working with an IT cloud provider transfers the business’ cyber liability risk to the IT provider. Unfortunately, this is usually not the case, and it may leave a business more vulnerable to cyber-attacks.

Utilizing a cloud provider may initially seem like a win-win scenario for a business, offering cost savings and preserving resources. However, businesses need to consider the inherent risks associated with using cloud providers. A false sense of security can arise when opting to use an IT cloud provider to handle and store sensitive data. So, what should a business consider when working with a cloud provider, and how can this impact their cyber liability coverage? Here are some important considerations:

1. The cloud Service-Level Agreement (SLA) establishes the responsibilities of both parties, including liability and indemnification. Does the cloud provider agree to indemnify the customer in the event of a data breach? A business should always assume they remain ultimately responsible for their data, no matter where it is stored. Many SLAs explicitly state what they won’t cover regarding third party cyber breaches.
2. Always inquire about the security measures the cloud provider has in place. A business will automatically adopt whatever risks associated with the cloud provider. Be aware that the cloud provider may charge additional fees for heightened security controls.
3. The cloud is ultimately accessible to everyone who uses it, which can increase exposure to risks due to the vast number of users. If the cloud lacks proper security controls or knowledgeable employees, weaknesses may emerge, leading to a potential cyber breach.
4. Does the customers critical response plan align with the cloud provider’s critical response plan? If the two aren’t cohesive, they may be useless during a cyber-attack. A business should always coordinate with their IT provider to ensure alignment of their plans in the event of a cyber-attack or IT system disruption.
5. A business can jeopardize having cyber claims covered if they are unknowingly misrepresenting the cyber controls on the cyber liability application.

Ultimately, there are several factors to consider when deciding whether a cloud provider is the right solution for your business. The most crucial take away is that a business is never fully absolved of its liability when opting to have a third party manage their data and IT systems.

If you’re unsure how your cloud provider stacks up, our cybersecurity consultants can help! Please reach out to your MMA team to learn more.