Because malicious cyber attacks are newsworthy, they are top of mind for underwriters and catastrophe modelers. But while cyber attacks do make up the majority of data breach incidents, based on AIR’s analyses, they are the least likely manner in which a cloud service provider will experience downtime and cause loss to insurance policies. Therefore, comprehensive risk management strategies and modeling solutions should consider cyber events beyond those that are malicious.
At AIR, we implemented the National Institute of Standards and Technology (NIST) Taxonomy of Threat Sources in our modeling approach to account for non-malicious, or non-adversarial, events. Our framework includes events that fall into four categories: adversarial (such as malicious cyber attacks); and three non-adversarial categories—accidental, environmental, and structural. Affirmative cyber insurance policies, including those from ISO® and those we have studied from key players in the cyber insurance market, can cover loss from any and up to all four of these event categories, depending on policy wordings. In this post, we’ll walk you through an example of each of the three non-adversarial categories to illustrate the potential for loss to insurance portfolios.
This is defined by NIST as, “Erroneous actions taken by individuals in the course of executing their everyday responsibilities.”
On February 28, 2017, the Amazon Web Services Simple Storage Service (S3), which provides hosting for images, entire websites, and app backends, experienced a 4-hour disruption in the Northern Virginia (us-east-1) region that affected some websites for up to 11 hours. As Amazon Web Services explained in a post-mortem message, a debugging team executed a command to remove a few servers in a subsystem used by S3. A larger set of servers was removed than intended, however, including servers that supported two other subsystems, the index subsystem, and the placement subsystem. Each of these systems required a full restart, during which time S3 could not service requests. The outage affected major websites and service, including Quora, Coursera, Expedia, GitHub, and Trello, as well as devices in the Internet of Things (IoT) such as Nest thermostats and cell phone apps.
This category of incidents is the “only action type that is consistently increasing year-to-year in frequency” according to the recently published 2020 Verizon Data Breach Insights Report.
NIST defines this as, “Natural disasters and failures of critical infrastructures on which the organization depends, but which are outside the control of the organization.”
On August 17, 2015, in Saint-Ghislain, Belgium, four lightning strikes to the local power grid caused failures in the Google Compute Engine of Google's cloud data center (europe-west1-b). Although storage systems had battery backup, some recently written data was lost because some systems had experienced power drain. In addition to data that was lost due to the power issue (Google claims that it lost only a very small fraction of its data in the affected location), downtime was experienced by those trying to access their servers during the storm.
This category is defined by NIST as, “Failures of equipment, environmental controls, or software due to aging, resource depletion, or other circumstances which exceed expected operating parameters.”
On February 29, 2012, the Microsoft Azure cloud experienced a lengthy downtime due to what has become known as a “leap day bug.” An underlying part of Azure’s code included a routine that took the current date and added one to the year value of the date as a way to compute the date one year later. On most days, this is perfectly fine, but you can understand how this would create a problem on leap day. This code was triggered for the first time in 2012, when the system tried to create a date of February 29, 2013. The impact of this “fake” date cascaded through the system and ultimately led to more than 12 hours of downtime. Ultimately, Microsoft refunded their customers one third of their monthly fees to compensate for the problem.
Account for all categories
Each of these events has insurance implications and the potential to turn into large insurance losses. Any modeling solution that doesn’t explicitly account for things beyond malicious cyber attacks should be considered incomplete.