By mid-2013 – meaning now — cloud computing will be in use by about 80 percent of about 600 companies with at least 500 employees each, according to a 2012 TNS Infratest survey. The trend is undeniable: Data management and storage are moving offsite to cloud computing vendors on a vast scale.
Touting cloud computing as a way to eliminate the costs of buying and maintaining on-site information-technology assets, vendors offer it in the form of software as a service (SAAS), a distribution model in which software applications are delivered to clients over a web-based network.
Offered in comprehensive, fully-integrated form, SAAS can serve the needs of entire companies through huge, web-based platforms. As cloud computing rapidly becomes the delivery channel for software developers of all shapes and sizes to get their products to market, offering applications in a cloud is now the rule, not the exception.
A relatively small number of vendors have the service capacity to offer SaaS to big companies that want company-wide cloud computing. The barriers to entry are formidable; only the best-capitalized vendors need apply. Although market-share statistics are hard to come by, the list of companies large enough to offer cloud computing on this scale is short: Microsoft, Amazon, Google, Salesforce, Rackspace and not many others.
The concentration of data and virtual computing in the hands of relatively few vendors raises an important risk for their clients. If the Internet-based systems of any one vendor are hacked, the result could be security breaches and invasions of privacy across entire industries in which their clients do business, creating liabilities on an almost unthinkable scale.
Can this small cadre of cloud-computing vendors adequately respond to the needs of their clients to quickly fix such a breach, restore services and, most importantly, cut off the damage to these clients’ own customers?
Can the balance sheet of any one of these vendors protect its clients from such losses and liabilities?
Could a company like Microsoft eliminate the risk of a virus being planted by a hacker in its Azure cloud computing product?
If it can’t, will its balance sheet – as vast as it is – be enough to protect its clients against wholesale desertion by their customers?
Don’t think such things can’t happen. If hackers can penetrate the Department of Defense, the risk that they will penetrate Microsoft or Google cannot be ruled out. Compromise of just one of these vendors – even one with a modest market share – conceivably could shut down, at least temporarily, a sizable slice of the U.S. economy.
Risk Aggregation
With such potential losses at stake, corporations are bound to think about hedging their exposures via cyber insurance. Yet even as insurance companies rush to meet the demand for cyber loss and liability insurance products, they worry about aggregation, the excessive exposure of a single insurer to a single catastrophic event, as Erich Bublitz recently pointed out in Carrier Management.
If the catastrophic event is a breakdown in just one of the handful of large cloud-computing vendors serving Corporate America, it is likely that no single cyber insurance tower could fully protect all of its clients.
A vendor would have to buy staggering amounts of insurance limits to cover all data security and privacy liability exposure to its customers. Cyber insurers and reinsurers worry about aggregation because a single catastrophic cyber breach at a single cloud-computing vendor could wipe out an entire tower (a layer of coverage above a company’s primary insurance policy) of cyber coverage, much like a superstorm can wipe out a whole region in its wake.
