A handful of tech firms ensure the smooth operation of millions of businesses world-wide. A great many companies may not even realize that they rely on these critical web-service suppliers, but when the technology goes down, business may grind to a halt. To compound the problem, some of these background web companies depend on the services of yet others, which creates a complex web of potential contagion. For cyber insurers and their reinsurers, the contingent business interruption (CBI) aggregation risk is enormous.
The companies are the cloud service providers (CSPs) and content delivery networks (CDNs) that make the internet work. They support billions of dollars of commerce and services every day. AWS (Amazon Web Services) is the leading CSP, with about 40% market share and more than one million customers. More than 95% of the Fortune 500 rely on Azure, Microsoft's CSP, at least to a certain extent. Cloudflare is used by about 150,000 clients. Google Cloud Services sits behind Shopify, the e-commerce platform relied upon by about 800,000 merchants in the U.S. alone.
These, along with other CSPs and other service providers, form the backbone of the technology and infrastructure that allows the internet - and therefore the modern economy - to work. When they're operational, they ensure that e-commerce, from online banking to pizza delivery orders, functions effortlessly and almost instantly. Unfortunately, they go down with alarming frequency. Major vendors that suffered at least one outage this year include AWS, Fiserv, Shopify, Azure, Cloudflare, Google Cloud, IBM and Verizon. One service interruption happened because a cable was inadvertently cut. Another occurred when the air conditioning shut down.
See also: Essential Steps for Cyber Insurance
Traditional business interruption (BI) insurance covers losses arising when something the insured does or suffers causes a systems problem that brings normal business to halt. Contingent BI, also known as Dependent BI, is a subclass that protects insureds when something goes wrong at a third-party service provider and their shutdown causes the insured's business to stop in its tracks.
It's a complicated risk to assess at the best of times, but it's made fiendishly more difficult when the third parties are CSPs and CDNs. Worse, because an outage at one of the big players can affect hundreds or thousands of insured firms, the potential aggregation - especially for reinsurers - is gigantic.
Cyber insurers' reactions to the threat naturally vary. Some have lengthened the time the outage must last before coverage kicks in, effectively increasing the self-insured retention. Others have imposed low sub-limits that cap the indemnity payable to a fixed maximum that may be much lower than the insured's actual loss. The third option is to exclude CBI cover for CSPs and CDNs. The fourth and most extreme reaction is to remove DBI coverage altogether.
The widespread reluctance to cover cloud outages and distribution network interruptions is understandable. It is very difficult to gain a clear vision of all clients' true exposure to specific services. It is even more difficult to garner a granular view of the nature of the exposure; the insured can sometimes name their service provider but often don't know the specific service provided or the regional sub-service that delivers it.
Historical data about the services consumed is typically very limited or absent, which leaves insurers unable to model individual risks, let alone the threat of aggregation. And, because the risk lies with third parties, it is impossible to differentiate among insureds based on their systems architecture, infrastructure or controls. As a result, accumulations of exposures, particularly around market-dominating service providers, cannot easily be managed effectively.
There are several strategies to tame these challenges. Foremost is understanding: Downtime policies should cover specific, named services. Secondly, each risk should be underwritten individually. This is a necessity, because not all risks are insurable. Some service providers' reliability is not up to par, and sometimes an insurer must manage its own accumulation. Insureds presenting a higher accumulation risk may face higher premiums or longer downtimes before coverage is triggered. These measures allow downtime insurers to limit accumulation risk. That goes both ways, though, because customers using service suppliers outside those that present the largest accumulations pay less and benefit from shorter self-insured interruptions.
These accumulation management measures are important, but the heart of downtime insurance should be cloud monitoring. Downtime insurers should watch the CSPs and CDNs constantly, in real time, to see their performance and detect dependencies and know about clients' interruptions as soon as they happen. That monitoring allows downtime insurers to offer Cyber CBI insurance products on a parametric basis. When the cloud or network used by a specific customer goes down long enough to trigger a claim, the downtime insurer should tell them. It's simple and efficient and helps the world get back to business as usual with as little disruption as possible.