<img src="https://ws.zoominfo.com/pixel/kZxG1sNctrruFoZSPoVD" width="1" height="1" style="display: none;">

Risk managers getting savvy about cloud computing, cyber risk and security

describe the image

At the REBEX 2012 Regional Risk Management Conference and Exhibition in September, I had the pleasure of leading a session called “Successful Cloud Implementations in Regulated Risk and Insurance Environments.” Organized by the Chicago chapter and the Wisconsin chapter of the Risk & Insurance Management Society, REBEX 2012 drew about 300 attendees.

I enjoy preparing and leading sessions at events like REBEX for many reasons, but what has stuck in my mind since September 20 was the way the 20 or so attendees really zeroed in on what I think are the two key topics risk managers need to be aware of as they contemplate their organization's cloud strategies.

Had I hosted this session a year ago, I think it's safe to say that fewer risk managers would have been familiar with these topics; in September, however, it struck me that risk managers have become quite savvy in grasping the importance making informed cloud-services decisions.

The first topic that generated a lot of discussion was on insurance coverage and contractual controls related to an organization's engagements with third-party cloud providers.

It's an easily overlooked fact, but risk managers have increasing responsibility for the exposures inherent whenever any of their company's data moves to the cloud. Put simply, if a company's finance, human resources or another department moves some or all of its data to a third-party cloud provider, risk managers have responsibility for the associated cyber risks. This article from February 2012, written by an attorney practicing in insurance coverage matters, is accessible, comprehensive and written for account managers.

As risk managers have become more aware of cyber risks across their organizations, I think risk managers have become more aware of the particular cyber risks that apply to the risk and risk-related data that they manage. Whether we're talking about finance, HR or claims data, risk managers are becoming more aware all the time of the importance of asking the hard questions of their providers, like: Where, exactly, is my organization's data being stored? Who has access to my data? What type of business coverage do I need? What type of coverage should my cloud provider have?

I approached my session at REBEX 2012 not as a cloud provider or as a CIO, but rather, by focusing on what I take to be the key issues in selecting a cloud provider and then effectively working with your organization's procurement department, IT group and legal team for a successful relationship with that provider(s).

I think the attendees were a little surprised that I didn't give a thinly veiled product pitch or technology lecture, but the fact that there was a high level of engagement and questions asked tells me I had the right approach. I left Chicago pleased that the REBEX attendees seemed to have gotten some useful insights from the session.

Now, in the spirit of full disclosure, of course I'd like to see risk managers choose Aon's cloud services; however, for the last couple of years, I've been working hard to make the case that the most important thing a risk manager can do when choosing or evaluating a cloud provider is weigh the risks and, after asking the right questions, choose the cloud partner that the risk manager is sure is doing what's needed to manage the organization's data appropriately.

When it comes to security, compliance, accountability and other key factors, I think the cloud industry is shifting (subtly, but shifting nonetheless) in a direction that better addresses some of the risks of third-party hosting. I'd like to make that the topic of my next post.


Paul Holden is an insurance-technology veteran with extensive experience at leading third-party administrators, brings more than 20 years of IT-strategy leadership to his role as chief information officer and managing director of Aon eSolutions (Atlanta, Ga.), the technology solutions business of Aon plc.

Connect with Paul: Email | LinkedIn

RMIS Guide

Nov 15, 2012

 | Originally posted on 

Subscribe by Email