Insurers dread what they like to call “aggregation risk.” The threat arises when a large number of companies face the same catastrophic peril concurrently, multiplying the potential losses in an insurer’s portfolio. The issue gained prominence in the wake of the 9/11 attacks, when many companies in the same location lost people, saw property destroyed, and suffered lengthy business interruptions from a single event.
Flash forward nearly 17 years and the problem is cropping up again, but in a different form. This time, the aggregation refers to the vast accumulations of cyber risks faced by companies seeking efficiency and safety by automating some or all of their operations in the cloud. What could happen to such companies if one or more of the large providers that have cornered the cloud-computing market gets hit with a devastating cyber attack or suffers a system failure?
To be sure, nothing comparable to the loss of the more than 3,000 lives and $10 billion in property and infrastructure damage caused by the September 11 attacks has hit corporate America. But the aggregation of risk in the cloud creates an attractive target for hackers and a place where small mistakes, like a flub during a routine maintenance upgrade, can wreak widespread havoc.
A cyber incident that takes a top-three cloud-services vendor offline for three to six days would spawn customer financial losses of about $7 billion to $15 billion, according to a report, “Cloud Down,” by Lloyd’s of London and catastrophic risk modeler AIR Worldwide.
Rather than focusing on just the security of their own company networks, CFOs and risk managers must now consider the threat of existing in a much wider “attack surface” (as cyber-risk management experts call it), which multiplies the chances of being hit.
Cloud platforms have limited responsibility. For companies using infrastructure-as-a-service, the cloud provider is only responsible for core infrastructure security, like storage and networking at the physical level. Software-as-a-service providers, in contrast, are responsible for more, like application-level controls and, in part, identity and access management. However, customer data is never the cloud provider’s province, which “in the event of a breach makes [the customer] most liable for any third-party damages or responsible for regulatory action,” according to Lloyd’s/AIR.
And few, if any, cyber insurance products offer the kinds of payouts or the type of coverage companies will need if a massive cyber event in the cloud threatens their ability to function.
The sources of potential losses assume a wider footprint as companies become more dependent on outside information-technology providers, who themselves are part of a closely intertwined tech supply chain. And the stunning speed with which this supply chain has arisen hasn’t given corporations much time to erect cyber defenses or devise backup plans adequate to the risk.
In a 2015 report, McKinsey & Co. noted a “fundamental shift” by corporations from the traditional approach of maintaining computers and servers on-site to outsourcing those functions to cloud-services providers. Citing that shift, McKinsey predicted that the percentage of global companies using traditional IT infrastructure would drop from 77% that year to 43% by 2018. Over the same period, companies using the publicly available cloud for at least one IT task, the firm predicted, would jump to 37% from 25%, based on the survey of about 800 CIOs and other IT executives.
While McKinsey hasn’t updated its numbers, it’s obvious that many companies are putting the management of exceedingly costly cyber risks in the hands of third-party providers.
In the universe of tech companies servicing the publicly available cloud, in which users buy slices of server time in a multi-tenant environment, there are just five providers or so. As of February 2018, according to the RightScale State of the Cloud Report, 64% of 997 IT professionals surveyed said their companies were running applications on Amazon Web Services; 45% on Microsoft Azure; 18% on Google Cloud; 10% on IBM; and 6% on Oracle.
That market concentration increases the likelihood that a hacking attack or a major outage experienced by one or more of the top providers could hurt many among the burgeoning number of companies whose networks or applications are housed in the cloud. Cloud vendors tend to minimize corporate concerns about that. They argue that aggregation risk is really a concern of insurance companies likely to have a large number of at-risk clients in their portfolios, and not a systemic risk to cloud providers or their customers.
“Among insurers, there is widespread recognition of the potential for extreme accumulated losses from a cyber event, be it from an attack on a cloud provider or payment processor, a power grid attack, a massive data theft aggregation event, [a hacker] exploiting a weakness in a commonly used software application, or any one of a number of other nightmare scenarios,” according to the Lloyd’s/AIR report. But cloud providers seem to lack that recognition.
Contrary to the claim that customers should be worried about security in the cloud, cloud-services vendors maintain that they offer customers a big step up in security compared with the days when businesses were managing their own cyber risks. Ann Johnson, a vice president in Microsoft’s enterprise cybersecurity group, contends that businesses operating outside the cloud have a significant flaw: “their tools to protect, detect, and respond are not integrated.”
Because of that, the amount of time between when such companies detect a cyber attack and when they recover from it, known as “attacker dwell time,” is much too long, according to Johnson. “The cloud changes the entire approach to one that democratizes cybersecurity, giving experts and the resource-constrained the same powerful tools,” she says.
Johnson notes that the $1 billion Microsoft spends yearly on cybersecurity includes investments in malware protection and threat intelligence centers aimed at guarding its customers. Azure, the company’s cloud-computing service, provides protections for third-party cloud applications—demonstrating concern, perhaps, for the security of the broader IT supply chain it inhabits.
Indeed, there’s no evidence that cloud providers are skimping on things like co-located hardware, redundant networking and power, and business continuity plans. But the big cloud infrastructure providers are not invulnerable to bugs, breakdowns, and human errors that can have broad-scale effects. Azure, Google Cloud, and AWS have all experienced major outages or disruptions in the last few years. Their length ranged from a couple of hours to three days. In February 2017, the AWS Simple Storage Service (S3), which provides hosting for images, entire websites, and app back ends, experienced a severe, four-hour disruption that affected some websites for up to 11 hours.
The fear of absorbing the costs of such interruptions has so far led services providers as well as underwriters to step gingerly into the business of indemnifying companies. According to the Lloyd’s/AIR report, while cloud customers would like providers “to assume unlimited liability for outages and any resultant business interruption,” vendors want to restrict and cap their liability.
Even if a major cloud provider bears some responsibility for a service outage, affected customers are very rarely compensated. The customer is more likely to receive credits for a certain amount of free usage. And where the legal burden lies is unclear. Determining which jurisdiction’s laws apply during a particular downtime event of a cloud service would be considerably complex, says Lloyd’s/AIR.
While some companies might be able to individually negotiate indemnification provisions in their cloud-computing contracts, “the bulk of the costs will be on the insureds themselves,” says Elissa Doroff, an underwriter and product manager for cyber liability at XL Catlin, a large commercial insurer. (Microsoft did not respond to a question about the kinds of indemnification or insurance, if any, it provides for its cloud clients.)
Not that insurers have been eager to pay for the bulk of those costs, either. Thus far, insurers have managed to hive themselves off from the vast magnitude of cyber perils, avoiding excessive exposure to ransomware attacks and data breaches experienced by their corporate policyholders.
So, while many U.S. companies buy insurance to cover cyber risks, the coverage under such policies is severely limited. Many cyber insurance policies include low limits on the dollars they will pay out after a loss, long waiting periods after a cyber event happens before coverage kicks in, and “a multitude of exclusions,” according to the Lloyd’s/AIR study.
For example, Equifax incurred $164 million in costs related to its large data breach in the summer of 2017, but only $50 million was offset by insurance. This year, Equifax is projecting about $200 million of net incremental IT and data security project costs and legal and professional fees, of which insurance is expected to cover $75 million.
The laser-like specificity with which insurers have zeroed out their exposure to serious cyber losses has resulted in a confusing array of highly specific “standalone” policies (referred to as such because they stand apart from the cyber coverage offered in traditional property-casualty policies). Stand-alone cyber insurance is typically triggered by claims stemming from either a security failure or unauthorized access to the policyholder’s network.
Such policies may cover costs stemming from business interruption, cyber extortion, data loss, theft or fraud, regulatory fines, and lawsuits arising from a data breach, according to a 2017 report by the Risk and Insurance Management Society. The services the policies can pay for include forensic investigation, public relations, reputation and crisis management, breach notification, and restoration of proper credit monitoring for hacked clients.
Leery of losses, though, the insurance industry has acted to limit its exposure to the cloud. Indeed, the insurance industry today would foot the bill for only about 20% of the business effects of a major cloud vendor’s three-to-six-day event.
While some policies may cover the income a company loses when its network goes down, they haven’t typically been triggered when the downtime results from a problem experienced by a cloud-computing vendor or other third-party IT service provider. Now, however, insurers are hot to sell “contingent business interruption” coverage that reimburses a company for earnings lost when a vendor gets hit, players in the cyber insurance market say.
There is an opportunity for the insurance industry to help businesses prepare for and recover from extreme scenarios of cyber risk aggregation, says the Lloyd’s/AIR report. But that’s not a priority yet. Meanwhile, in the scenarios run by Lloyd’s/AIR, smaller companies in particular fare badly, since they are more likely to use the cloud to avoid building computing infrastructure in-house. In addition, they rarely buy cyber insurance.
So, while movement to the cloud may “democratize” cyber security, it is definitely not distributing the risks evenly: in the event of a severe disruption to or an attack on a cloud services platform, the bulk of the financial losses could be borne by the businesses that can least afford it.
David M. Katz is a freelance writer based in New York.