As this seems to be a topical subject and having some clients that have had cybersecurity issues with their cloud service providers, I thought I would share some hopefully objective views. The first thing to state is that I have no current or historical problems with any cloud provider or company that is mentioned. I’m trying to keep this lite and short, so won’t drill down on the next level of detail. Any comments and views are gratefully received.
Recently there have been incidents where clients had experienced cybersecurity breach’s while their data is stored with a cloud provider. In these instances, the cloud provider seems to have not taken any responsibility, as the onus is on the client. My logic is that as a cloud provider, if you admit your cloud is susceptible to cyber breaches, then you will lose business and your share price is effected, so as a cloud provider that last thing you want to admit is any vulnerabilities.
Whilst my work is primarily involved with how best to reduce the risk before and the impact after a cybersecurity event, client engagements often start during or planning the remediation after a cybersecurity event has occured. A common thread that seems to repeat itself continually is when the conversation turns to what the client is doing operationally with cloud and more specifically;
- the services they have contracted
- the support they expected from the cloud service provider
- the maturity of the relationship and engagement with the cloud provider
- confirming what data has been compromised
- what are the next steps of action?
- what cover is provided by their insurance?
- how much is this going to cost? and;
- do we still have a business?
While many people will think the answers to some of these questions should be readily available, sadly, this is where there is often confusion within the client, with multiple answers and views.
I often find there are assumptions on the client-side that if they do experience a cybersecurity event with a loss of data or service, their cloud service providers will send an army of subject matter experts, to resolve the issue to get everything back to normal. When this does not happen, and they find out, for example, they have contracted a service level that is 5 days to provide full back up recovery services or 15 days to provide logs, there is a quick realisation they are on their own and they do not have control or access to all the information they want as they are dependent on external parties. The cloud service providers are entirely within their rights to stick to the contracted service levels and under the circumstances it is a bit unfair to get upset with them when the expected service level is higher than what has been contracted for and I know sometimes providers do help clients free of charge.
In today’s world of regulatory compliance, with the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), the consequences of a cyber breach to any company can be extremely damaging not only financially but reputationally as well. If an airline company kept having their planes crashing, chances are you want to fly with another airline no matter how cheap the ticket is and the same goes for a company that keeps having cybersecurity breach’s and client data is stolen. Would you still want to be doing business with them?
An area that needs more attention is the responsibility and safeguarding of client data by cloud companies. If a company places its data in the cloud directly with a cloud service provider or through a 3rd party vendor and there is subsequently a cybersecurity event, a regulatory body might decide their rules or guidelines have been broken and it is the company who will pay any regulatory fines, not the cloud provider or 3rd party.
The reason you place items of value with another party is trust. I trust my bank to look after my money and even if they are robbed, I will suffer no loss of money as they have taken all the necessary steps to protect and guarantee my money. Conversely if a company places data with a cloud provider and it is stolen or made inaccessible, resulting in a regulatory fine, the fine will not be shared or passed to the cloud provider and the company which is the owner of the data will receive the penalty and any reputational damage. I do not have a problem with this approach as like a bank you need to protect yours and customers data however, the downside is that whoever gets the fine gets the majority, if not all the reputational damage and associated costs even though they may not be at fault for the cyber event. Whereas the cloud providers have absolved themselves from any responsibility as they have successfully protected themselves financially and contractually, I think there is some moral obligation here and just because the cloud provider does not have to maintain a client’s firewall, perhaps the cloud vendors should share some responsibility. This could be done by building a health check in to their cost model and being a bit more proactive so if a hacker gets into a cloud provider estate, chances are they can gain access to other cloud tenants data.
Cybersecurity attacks and breaches are here to stay. We have all seen or know the costs of a cybersecurity breach to a company. We read regulatory fines are hitting levels never seen before and a company can only cover so much expense through cybersecurity insurance. If there is no financial recourse through a cloud provider, then companies have to cover all costs to return to business as usual or go out of business.
Companies need to expand their thinking and engage the Board and executive committee and not just ask for budget approval but rather actively discuss what data types will be stored in the cloud, agreeing on a different set of guidelines to measure risks when looking to use the cloud and look at the possible post-breach implications which all have an impact on revenue, reputational risk, equity value, fines, insurance premium, rate to borrow capital, etc.
I also think there needs to be a change in thinking about how client data is stored and protected. Companies seem to put a lower importance or value on their customer’s data and are happy to retain data on the cheapest platform available and whilst I am not saying it should not be kept in the cloud, customers data should receive the same priority or associated spend, to protect it as any would be with any mission-critical application.
Some points to consider
Do the contracted cloud services meet or align with the business needs and strategy? | Even if the answer is yes, it always good to have regular review meetings.
Do you know physically where your data in the cloud is stored? | If it is out of the country or region of operation, you might be breaking regulatory compliance laws.
Can you pick up the phone to a senior person in a vendor and get help for a cyber event? | If you cannot, arrange a meeting and start a relationship with your cloud provider.
Are your operational and risk management frameworks up to date? | If not bring them up to date and kept them up to date, it is not a onetime event.
Are you able to share the cost of a regulatory fine with your cloud provider, if a cybersecurity breach happens in their data centre? | It is worth opening up a discussion and understanding what indemnity you are offered before you make or place more business with your current cloud provider.
Have you run any scenarios or playbooks for a cloud cyber breach internally with your cloud provider? | Running scenarios is good practice and educates your team and vendor to your business priorities.
Are your cloud recovery point objectives (RPO) and real-time objectives (RTO) achievable? | Test your RPO, RTO objectives using an external auditor, reporting the findings to the Board.
What is your plan if your cloud provider suffers a massive cybersecurity breach? | Could you keep the company trading with the IT infrastructure at your disposal?
Consideration of post-breach implications? | Reputational risk, equity value, fines, insurance premium, increase in rate to borrow capital, etc.
Steve West, COO