Top Financial Risks of Doing Business in the Cloud

Cloud computing definitely has upside as adopters can speed delivery of analytics, gain flexibility in deployments and costs, and transfer IT headaches to another company.

Cloud computing definitely has upside as adopters can speed delivery of analytics, gain flexibility in deployments and costs, and transfer IT headaches to another company. However, with all the advantages of cloud, it’s important to keep in mind there are financial risks to cloud computing including potential costs from lawsuits and reputational damage from cloud provider security/privacy data breaches, and possible revenue losses from cloud provider downtime/outages.

For any type of business decision, there are various risks that should be considered– strategic, operational, financial, compliance and reputational (brand).  These risks should also be criteria for any decision to move workloads to cloud computing. However, for sake of discussion, let’s focus on financial risk.

First, for cloud computing there are financial risks in terms of potential data or privacy loss, especially in complex multi-tenant environments.  If there are data breaches of unencrypted personally identifiable information (PII), many US states have laws that require consumer notification. Companies accused of data breach also typically provide consumer credit monitoring services for up to one year. One research firm estimates total costs due to a data breach average $7.2 million (USD).  In addition, such breaches may open up companies to class action lawsuits that could total millions more in damages. 

To mitigate risks of data loss or privacy breach, cloud providers do everything in their power to safeguard data including: server hardening, user provisioning and access controls, enforcement of policies for passwords and data privacy, monitoring/logging for intrusion detection, self-auditing, third party security audits (when specified), mandatory training for personnel and in some cases encryption of tables and/or columns.

And while in many cases the above practices are more robust in public cloud computing environments than in most corporate data centers, there are still lagging trust concerns of possible cloud data loss or privacy breach. Perhaps this is why, at least for the next 2-3 years, companies will increasingly choose private cloud over public cloud environments.

To mitigate financial risks some companies seek indemnification where the cloud provider agrees to take on or share liability of security breach including costs associated a breach. However, cloud financial indemnifications are extremely rare, and even if offered, the risk associated with such breaches is often transferred to insurance companies via purchase of cyber insurance. And of course, such insurance costs will be baked into cloud service fees.

Other financial risks for companies doing business in the cloud include loss of revenues if there are significant availability issues. If cloud environments are down for hours or days, this could adversely impact a business’ ability to perform analytics or reporting and thus may affect revenue opportunities. To offset possible lost revenues, most cloud providers will sign up for availability SLAs and associated penalties (usually redeemable as service credits).

Cloud computing has so much upside, that it’s very easy for business managers to declare “all things must be cloud”.  That’s well and good, but one must also carefully consider cloud risks. And while risk cannot be eliminated, it can surely be mitigated with proper planning and execution when things go wrong.

Companies considering cloud computing must remember that just like in outsourcing, there’s no such thing as transference of responsibility. In moving workloads to the cloud, carefully document upsides and downsides, examine your decisions in terms of risk (including financial ones), and then make the best decision possible for your particular organization.

Questions:

• This article speaks to financial risks for cloud computing in terms of access and availability. There are certainly more including project cost overruns for cloud deployment and data quality (completeness/accuracy).  What others can you think of?