- Your Role
- Your Business
- What We Do
- Who We Are
- Contact Us
Receive great blog updates once a week in your inbox.
If you’re a risk manager taking on greater responsibility for cyber risk management, I think you’ll benefit from reading this helpful primer on “Negotiating Cloud Contracts.” Even if you’re not negotiating new cloud agreements at this time, the article will help you understand some of the key concerns inherent in cloud-based business solutions.
Many of the points made by the authors of “Negotiating Cloud Contracts” (it was written by three lawyers from the firm of Morrison & Foerster) echo important concerns that I frequently talk about with risk, insurance and safety managers. I’d like to discuss a few of those topics in this blog.
Customer control and visibility over subcontracting: there is a general reluctance of providers to allow approval over, or even to identify, subcontractors.
The issue of customer control and visibility is something I’ve been bringing up since I joined Ventiv in 2009. To build on a theme I developed in a June blog post, I think the typical organization’s most significant cyber risks and exposures lie not only with third-party providers, but also with the fourth- and possibly fifth-party providers often hidden behind the third party.
In the vast majority of cases, it’s simply impossible to know what a fourth and fifth party’s policies, procedures and controls are with regard to data access and security. You can’t know who these multi-party subcontractors are and where they fit into the technology architecture set up by your third-party provider. As the commodity cloud continues to evolve, it’s critical to dig into third parties and determine if additional risks exist with fourth, fifth or more parties involved in what appears to be a single solution.
The conjoined issues of privacy and security remain center stage in most cloud contract negotiations. The key issues typically are who is responsible for data security and how obligations should be allocated between service provider and customer…. It is worth understanding the exact commercial and legal implications of a provider that commits only to be responsible for the “security of our network” and expects its customer to be responsible for the “security of its data.” Typically, of course, providers are more willing to take responsibility for the integrity of their networks, while attempting to steer clear of obligations in relation to data. [emphasis added]
Risk managers are well advised to consider the implications of cloud providers who “attempt to steer clear of obligations in relation to data.” These implications, however, are not an issue with all cloud providers; Ventiv Technology provides its technology solutions over its own fully owned, staffed and managed cloud-computing infrastructure, serving only the risk, insurance and safety management community, resulting in unmatched levels of security, transparency and accountability.
Technical areas, such as the variability of service elements that depend on specific data center features, do not lend themselves to negotiation because the shared service nature of cloud facilities limits the ability of providers to agree on changes in those areas.
I don’t know which “specific data center features” the writers mean, but I think the reason such features are non-negotiable is because for most cloud providers, their business model is based on outsourcing IT infrastructure, data loading and conversion, development, quality assurance and other functions (those fourth and fifth parties referred to in the first point, above). As a result, customers will never know where their data is, in whose possession it resides, and what policies and procedures apply to their data.
Back in June, I blogged on the subject of “Understanding and mitigating cyber risk: Where do risk managers start?” I concluded by saying that for many (if not most) organizations, one of the greatest sources of cyber risk lies with third, fourth- and/or fifth-party, cloud-based providers of business solutions. The more we learn about cyber risk and cloud computing, the more I think that analysis holds true.
David Black is chief information security officer at Ventiv Technology. Contact David at firstname.lastname@example.org.
Jan 14, 2015
| Originally posted on
Ready to move your business forward?
Ric Henry | Managing Partner, BRP Pendulum
Lisa Mohler | Vice President of Claims and Risk Management, Indiana Public Employers' Plan
Lynn Barrett | Insurance Executive, Travelopia
Steve Robles | Assistant Chief Executive Officer Overseeing Risk Management and Privacy, County of Los Angeles
Katherine Cooley | insurance business analyst, HPIC