Cloud buying decisions are multi-dimensional. Cost and capability rank high, but there are also the concerns about lock-in and that very broad category called Risk. For sure a reliance on IaaS / SaaS brings many benefits, but it also increases risk. Despite having availability rates and security controls orders of magnitude greater than nearly any corporate datacentre, cloud platforms do fail, and they will be breached. The fewer there are, the greater the potential impact due to consolidations of a large customer numbers. Be in no doubt –any firm or organisation that run’s the bulk of IT in the cloud is going to experience downtime, no matter how highly automated and resilient the cloud provider’s infrastructure.
Consolidation risk manifests itself in other ways. As the major suppliers grow and consolidate they become more entwined with each other. In consequence so do their supply chains and intrinsically those of all their clients. I wonder just how many C suite executives can be confident that they have done everything to examine their supply chain risk to examine the effect of a major failure at one of the large cloud service providers. Even if you are not with a cloud provider an outage at any of the big 4 giants could have tsunami like spiralling impact on your business.
There is lots of evidence of limited supply chain failure but there would have to be a significant spiral for it to get catastrophic. How bad could it really get then? There is some evidence around.
Lloyds of London has some experience of supply chain / trading spirals. In the 1980’s this global reinsurance market faced systemic collapse due to losses spiralling around primary and reinsurance in cycles of contracts. Having faced up to and survived an existential event once, it is better positioned than most to assess the risk and cost of supply chain catastrophic risk to firms. In association with AIR worldwide Lloyds of London conducted a study of the likely impact of a major outage at one of the US Cloud providers. Though the studies focus was to propose an alternative approach to help insurers model the risk’s to develop better cyber security risk products, the major findings are sobering.
Key findings from the report included:
- An extreme cyber incident that takes a top cloud provider offline in the US for 3 to 6 days would result in economic losses of $15bn and up to $3bn in insured losses.
- Businesses outside the Fortune 1000 would carry 63% share of economic losses and 57% of insured losses – indicating that they are at the highest risk.
- Fortune 1000 companies would carry 37% of economic losses and 43% of insured losses.
- If a top cloud provider went down:
– Manufacturing would see direct economic losses of $8.6 billion;
– Wholesale and retail trade sectors would see economic losses of $3.6 billion;
– Information sectors would see economic losses of $847 million;
– Finance and insurance sectors would see economic losses of $447 million;
– Transportation and warehousing sectors would see economic losses of $439 million.
Financial Services firms are particularly vulnerable. Any Cloud service outage can have an immediate effect on clients, leading to customer churn, loss of competitive advantage and loss of revenue. for me, the risk is not wholly with Cloud buying decisions, but with making sure that firms fully understand the risks that they are taking on when taking critical IT services from any major supplier or trading partner. That said, when you move to Cloud, it’s much harder to assess this. Cloud providers have a duty of confidentiality to clients and cannot divulge all the details you might need so willingly. For sure it’s not easy for firms to perform a supply chain risk analysis, but it’s a task that is probably overdue at most