Cloud computing enables organizations to outsource database or software hosting to a third party and provides a cost effective alternative to purchasing and/or developing internal infrastructure or software. The ability to remotely store and process data enables companies to achieve economies of scale, reduce spending on technology infrastructure, reduce capital costs, streamline processes, and improve accessibility among other benefits.
Few would argue the technology provides significant benefits for most businesses. These benefits, however, come with a degree of risk. Some of the risks include data privacy (no longer having control of who is looking at your data), data security (data stored on the Internet is vulnerable to cyber-attacks), insider threats (employee access to data on the cloud), government intrusions (NSA, need we say more?), and legal liability among others.
But even with these risks, the benefits appear to be hard to resist for more and more organizations. In fact, according to a 2013 Advisen survey of risk managers, insurance buyers and other risk professionals, for the first time in the three year history of the survey, a majority (55 percent) of organizations now claim to utilize cloud services.
The risks associated with the Cloud are still evolving and to date there have been relatively few lawsuits surrounding its use. However, its increased adoption coupled with an upward trend in overall cyber litigation makes it likely that this will change in the coming years. This week’s data spotlight provides a high level overview of the litigation trends surrounding cloud computing.
Crosshead: Case Count Over Time
According to the Advisen survey of risk managers, assessing the vulnerabilities from cloud service providers is increasingly a part of corporate data security risk management programs. This is likely in part due to the increased uptake of the technology, but is also a result of increased risk awareness. Although Advisen’s Loss Insights Database has tracked just thirty-six cases involving cloud computing since 2009, the number of cases has increased dramatically over the previous two years which is likely contributing to the greater awareness of cloud computing risks.
Crosshead: Case Type Composition
Cloud computing cases are a subset of all the cyber-related cases tracked by Advisen. Interestingly, the distribution of this subset by event type has a similar composition to that experienced by all cases. As illustrated in the chart below, ‘Digital Data Breach, Loss, or theft’ and ‘System/Network Security Violation or Disruption’ represents the vast majority of cases involving the Cloud.
Advisen Defines:
Digital Data Breach, Loss or Theft as a Digital breach, distribution, loss, disposal, or theft of personal confidential information, either intentionally or by mistake, in such a way to enable the information to be used or misused by another.
System/Network Security Violation or Disruption unauthorized use of or access to a computer or network, or interference with the operation of same, including virus, worm, malware, digital denial of service (DDOS), etc.
Crosshead: Case Count by Industry
No industry is immune to a cyber-event, but some, based on the nature of their business, are more susceptible than others. In a Data Spotlight from last month, “The Cyber Claims Landscape,” it was shown that the services sector (e.g. healthcare, education, hospitality etc.) experiences the most cyber-events according to Advisen data. This trend appears to hold true with regards to the events involving Cloud Computing. Because these companies typically collect and store vast amounts of valuable personal identifiable information (PII), they are highly attractive targets regardless of where the data is stored.