If you’re a risk manager taking on greater responsibility for cyber risk management, I think you’ll benefit from reading this helpful primer on “Negotiating Cloud Contracts.” Even if you’re not negotiating new cloud agreements at this time, the article will help you understand some of the key concerns inherent in cloud-based business solutions.
Many of the points made by the authors of “Negotiating Cloud Contracts” (it was written by three lawyers from the firm of Morrison & Foerster) echo important concerns that I frequently talk about with risk, insurance and safety managers. I’d like to discuss a few of those topics in this blog.
- In their article, the Morrison & Foerster lawyers discuss seven “key issues that recur in cloud contract negotiations.” At the top of their list is:
Customer control and visibility over subcontracting: there is a general reluctance of providers to allow approval over, or even to identify, subcontractors.
The issue of customer control and visibility is something I’ve been bringing up since I joined Ventiv in 2009. To build on a theme I developed in a June blog post, I think the typical organization’s most significant cyber risks and exposures lie not only with third-party providers, but also with the fourth- and possibly fifth-party providers often hidden behind the third party.
In the vast majority of cases, it’s simply impossible to know what a fourth and fifth party’s policies, procedures and controls are with regard to data access and security. You can’t know who these multi-party subcontractors are and where they fit into the technology architecture set up by your third-party provider. As the commodity cloud continues to evolve, it’s critical to dig into third parties and determine if additional risks exist with fourth, fifth or more parties involved in what appears to be a single solution.
- On the topic of privacy and security, it’s worth quoting the Morrison & Foerster article at length:
The conjoined issues of privacy and security remain center stage in most cloud contract negotiations. The key issues typically are who is responsible for data security and how obligations should be allocated between service provider and customer…. It is worth understanding the exact commercial and legal implications of a provider that commits only to be responsible for the “security of our network” and expects its customer to be responsible for the “security of its data.” Typically, of course, providers are more willing to take responsibility for the integrity of their networks, while attempting to steer clear of obligations in relation to data. [emphasis added]
Risk managers are well advised to consider the implications of cloud providers who “attempt to steer clear of obligations in relation to data.” These implications, however, are not an issue with all cloud providers; Ventiv Technology provides its enterprise risk management solutions over its own fully owned, staffed and managed cloud-computing infrastructure, serving only the risk, insurance and safety management community, resulting in unmatched levels of security, transparency and accountability.
- The Morrison & Foerster lawyers assert that they have “experienced greater negotiability compared to 18 months ago, and we anticipate that trend continuing in the future.” The authors concede, however, that there is no room for negotiation around the factors that, I would argue, go directly to the crucial issue of privacy and security:
Technical areas, such as the variability of service elements that depend on specific data center features, do not lend themselves to negotiation because the shared service nature of cloud facilities limits the ability of providers to agree on changes in those areas.
I don’t know which “specific data center features” the writers mean, but I think the reason such features are non-negotiable is because for most cloud providers, their business model is based on outsourcing IT infrastructure, data loading and conversion, development, quality assurance and other functions (those fourth and fifth parties referred to in the first point, above). As a result, customers will never know where their data is, in whose possession it resides, and what policies and procedures apply to their data.
Back in June, I blogged on the subject of “Understanding and mitigating cyber risk: Where do risk managers start?” I concluded by saying that for many (if not most) organizations, one of the greatest sources of cyber risk lies with third, fourth- and/or fifth-party, cloud-based providers of business solutions. The more we learn about cyber risk and cloud computing, the more I think that analysis holds true.
David Black is chief information security officer at Ventiv Technology. Contact David at david.black@ventivtech.com.
