I hear this frequently: "We've moved everything to the cloud, so our security is good." Maybe yes, maybe no. Cloud applications operate on a "shared responsibility" model, which means that the cloud provider will have a certain level of security, but the customer also bears a level of responsibility for settings, encryption at rest, and a host of other issues. Misconfigured cloud storage applications (such as AWS S3 buckets) can expose terabytes of data to the open Internet. Bad guys know where and how to look.
Does your incident response plan deal with how to handle cloud incidents? (Do you have an incident response plan?)
Kroll has put together a helpful review of issues associated with cloud service providers.