A new report from AIR and Lloyd’s of London that examines the cyber risk associated with the failure of cloud service providers has just been released. This report highlights how 12.4 million businesses in the U.S.—the most established cyber insurance market—would be impacted financially by downtime incidents lasting from hours to 11 days at several of the top cloud services providers.
With the insurance industry challenged to understand its exposure to systemic risk, this report offers insights that can help cyber insurers prepare for an extreme event that could trigger simultaneous claims from millions of companies. Some of the report’s key findings include:
1. Cloud service providers are a growing source of systemic cyber risk
The use of cloud computing services is increasing among businesses across the world, and that is creating systemic risk that insurers must monitor. There are three trends driving the increase:
- Demand for cloud computing services is increasing. It’s projected that the public cloud industry will grow revenue at a compound annual growth rate of 36% between 2014 and 2026, which means many more companies will be using the cloud in some way.
- Dependence on the cloud is increasing. In 2015, 25% of companies used IaaS (i.e. infrastructure as a service) as their primary environment, and that percentage is expected to rise to 37% in 2018. Similarly, as of 2015, 77% of companies used traditionally built IT on-premises infrastructure as the primary environment, and that percentage is expected to drop to 43% in 2018.
- The cloud computing industry is highly concentrated. The industry market share of the top 15 cloud service providers is close to 70%, and with economies of scale favoring the leading providers, this trend is unlikely to end.
2. Multiple threat vectors can take down the cloud
Cyber insurers need to be aware of all the different ways a cloud provider can fail so that their policy language reflects the risk they are intending to take and they can avoid being surprised by non-affirmative, or “silent” cyber risks. The following are the four sources of threat that can impact a cloud service provider:
- Environmental. Natural disasters and failures of critical infrastructures on which the organization depends, but that are outside the control of the organization
- Adversarial. Individuals, groups, organizations, or states that seek to exploit the organization’s cyber vulnerabilities
- Accidental. Erroneous actions taken by individuals in the course of executing their everyday responsibilities
- Structural. Failures of equipment, environmental controls, or software due to aging, resource depletion, or other circumstances that exceed expected operating parameters
3. Society is underinsured against the impact of cloud failure
The scenarios described in the report indicate that, if a cloud service provider were to fail, the insurance industry would currently provide relatively little relief. Given the state of the cyber insurance industry today, a cyber incident that takes a top three cloud provider offline in the U.S. for 3–6 days would result in ground-up losses of USD 5.3 to 19 billion and insured losses of just USD 1.1 to 3.5 billion. This large protection gap is the result of low penetration rates of cyber insurers, especially in the small and medium-size (SME) business segment, and the limited coverage being offered, which typically includes 8- to 24-hour waiting periods and low limits.
While there are many reasons why cyber insurance remains limited, a primary factor is a lack of understanding of exposure to systemic risk. With this paper, cyber insurers can gain new insights into this emerging threat and use the modeling approaches outlined to quantify the impact this type of event would have on their business.