Cloud risk and compliance

Chapter summary

IT system failings, power cuts, insider fraud, cyber attacks from criminal gangs and hostile states… the list of risks facing companies is a long one. Failure to comply with legal and regulatory requirements is another major risk, the consequences of which, in terms of fines and other penalties imposed by the authorities, can be far worse than the harm caused other operational risk loss events.
 

Understand the operational and compliance risks of outsourcing

Moving services to the cloud transfers some of the risk management duties to the third party cloud service provider (CSP), but it is only the management of the risks that is transferred; accountability for the actual risks still resides with the company, not the CSP. The company’s operational risk management framework must therefore take account of the special situations arising from cloud service adoption. An important element of the framework should be to classify the information assets – such as intellectual property, customer databases and financial information – so the risks to them can be managed; to include in the contract a right to audit the cloud environment; an exit strategy, with associated contractual conditions in place; a business continuity plan covering the full scope of the cloud service; IT service management procedures and controls; and a redesigned operating model to ensure the right team structure and capabilities are in place to manage the cloud services.

Cyber security

Cyber risk deserves special attention. Security must be tight. The risk of intruders gaining access to IT systems on the internet, and even to closed systems, has forced organisations to improve security. Yet attacks keep coming and corporate defences are breached with depressing regularity. Companies need to be aware of the overall cyber threats facing them, what specific threats could materialise when they move to the cloud and the additional security measures that should be taken. They also need to assess the cloud provider’s cyber security procedures to make sure they meet the customer’s needs.

Legal and regulatory compliance

Complying with national laws and regulations on data is a problem that must be addressed. Who owns the data? In which countries should the data be stored? Who is permitted to access the data stored in another country? Data hosted on cloud services and other internet platforms is subject to the laws and regulations of the country where the data is stored. The European Union also has rules that apply to data held outside its territory. The General Data Protection Regulation (GDPR), which came into effect in May 2018, is designed to improve data protection for EU citizens whose data is collected, stored and processed by organisations; but the regulation’s scope extends to companies using servers outside the EU, if those servers hold data on EU citizens. The full implications of GDPR must be understood.

Read the full chapter

Key recommendations

1. A risk management framework within the organisation should be created for the cloud. It is essential to understand the operational and compliance risks of outsourcing.
2. Plotting a route through all the risks and regulatory complexities will ensure the company gets the benefits it set out to get from the cloud.
3. Proper due diligence should be standard for any outsourcing initiative to understand the key risks and embed controls into the contract. Supplier risk has to be factored into the equation.
4. The risk of intruders gaining access to IT systems has forced organisations to improve security. Cyber risk deserves special attention. Security must be tight.
5. Complying with national laws and regulations on data is a thorny problem that must be addressed and the full implications of GDPR must be understood and adhered to.