By nightfall of Day Five, the three
major cloud service providers are
recovered, and digital “normalcy”
begins to creep back. But for many
small and medium-sized businesses, the
recovery comes way too late.
Economic losses promise to register
in the tens of billions. It’s not being too
imaginative to think that losses could
hit the $100 billion mark.
Two multinational insurers based in
the U.S., three Lloyd’s syndicates and
a Bermuda insurer signal to regulators
that their aggregate cyber-related
losses are so great that they will most
likely become insolvent.
Emily Brookes and her cohorts were
willing to kill more than a dozen people
to promote their worldview. In their
youthful naiveté, they could not know just
how much suffering they would cause.
OBSERVATIONS: For some
commercial insurance carriers, the
aggregated losses from a prolonged
disruption of cloud computing services
could be catastrophic, or close to it.
“It’s on a par with any earthquake
or hurricane or tornado,” said Scott
Stransky, an associate vice president
and principal scientist with the
modeling firm AIR Worldwide.
AIR modeled the insured losses for
the Fortune 1,000 were Amazon’s cloud
service to go down for one day. They
maker is on the cloud,” said Mark
Greisiger, president of NetDiligence.
“In the old days, someone would
come in and install software on your
servers and come in annually for
maintenance. That’s all gone bye-bye.
Everybody who makes software is
forcing you onto their private cloud,”
The aggregation risk for carriers
is complicated by the degree of
transparency they have into which
insured’s applications are hosted on
which cloud provider.
Now here’s the even trickier part.
Clouds outsource to other clouds.
“It’s almost becoming a spider’s
web of interdependencies on who has
access to what in terms of upstream
and downstream providers,” Greisiger
Determining which of their
insureds is hosted on which cloud,
and in turn, where that cloud is
outsourcing to other clouds can be
very difficult for carriers to determine.
Even if a company is careful to
diversify the risks they’re taking,
they might not realize that a high
percentage of insureds are even with
the same cloud provider. They could
be hit with devastating losses across
their entire portfolio of business, said
an executive with BDO consulting.
AIR’s Stransky said his company
of Risk from
Cyber, which is
designed to help
carriers gain that
It will also depend on
organization’s understanding that
there is no off-the-shelf solution that
will prevent an event like this or make
a company whole after it.
Experts say contracts with cloud
service providers, customers and
suppliers must be structured so that
a company is defended should it lose
cloud access for as much as five days
Best practices also include
modeling just what your losses would
look like in this area, and vetting your
Once you have an understanding
of what you own and what you stand
to lose, the next step is prioritizing
the protection of the assets you
have. That means drilling into your
contract with your cloud service
providers to get the maximum
It also means spreading your risk
so that if at all possible, not all of
your assets or your customers’ assets
are housed by one cloud service
provider. Cloud platforms can be
public, private, or a hybrid of the
Understanding where your assets
are in that architecture is crucial.
Spending the money to insure that
they are protected behind a diverse
menu of firewalls is highly advisable.
Navigating the different iterations
of business interruption coverage
in property, cyber and kidnap and
ransom policies is also important.
Make sure your broker can
provide clarity on the different types
of coverages and tailor them to your
needs, experts said.
The concept of design thinking
is really what’s in play here.
Organizations have to work
with vendors in every aspect of
their operations to design a risk
management system that can sustain
this kind of hit.
“Build a better mousetrap to
protect yourself,” said JKJ’s Friel.
“Depending on your service,
you need to have the best and the
brightest designing this stuff. Spread
“Don’t be afraid to ask for more,”
POSTSCRIPT: In engineering an
attack on the cloud, Emily Brookes
and her cohorts accomplished the
opposite of what they set out to do.
Only the largest corporations
with the most sophisticated risk
management programs were able
to survive the attempt to break the
cloud with manageable losses.
Small businesses, the true
backbone of the U.S. economy,
suffered terribly. Entrepreneurs
who put their life’s work into their
business lost it in many cases.
Those on the lowest part of the
economic scale, the working poor,
lost their jobs and their ability to
cover their rent and grocery bills.
They joined the ranks of those
subsidized by the government by
the millions. The attempt to break
the cloud resulted in an even more
polarized society. &
DAN REYNOLDS is editor-in-chief of
Risk & Insurance®. He can be reached at
full portfolio of insurance policies
to understand how each would
One broker said buyers can’t be
blamed if the complexities of the
coverage issues at stake here are
initially hard to grasp.
“I think it’s the broker’s job to
inform the client of this exposure,”
said Doug Friel, a vice president
with JKJ Commercial Insurance,
based in Newtown, Pa.
“You may have business
interruption coverage for direct
physical damage to your building.
But have you ever thought about
your business income if your IT
structure goes down?” Friel said.
He said many buyers might not
realize there is a difference.
Large businesses should have
the resources to demand from their
cloud service providers that they
be indemnified for the entirety of a
cloud failure event. There will be a
fee for that, but it will be well worth
paying, Friel said.
“You have to push,” Friel said.
“They are going to say, ‘Here is our
standard contract, sign it.’ ”
Don’t settle for that, he said,
although many do in ignorance, he
“Where possible, we would
look for clients to negotiate
their contracts. These business
relationships should be mutually
beneficial, even if one of these
events occur,” Starr’s Saeed said.
It’s a partnership, he said.
“It shouldn’t be a zero sum game
on either side. I think there should
be an understanding of what the
potential loss might be and then
designing a contract around that,”
While cloud service providers
are known for having high grade
security systems, most average
organizations don’t have the means
for that. But no matter what a
company’s resources, the first step
is modeling where your digital
assets are, and what you and your
customers stand to lose if you lose
access to them.
“Most insureds don’t seem
to understand the amount of
individual loss that you could be
subject to,” said Jim Evans, leader of
insurance advisory services at BDO
Consulting. “Usually this stuff is
measured in hours,” he said. “But
what if a cloud provider is out for
three or four days?” he said.
“Trying to quantify what you
did lose in an event is hard enough.
Trying to do a modeling exercise
about what you could lose? It’s
something that just doesn’t get done
enough,” he said.
“It’s becoming a
spider’s web of
on who has access
to what. ”
—Mark Greisiger, president,
came up with a figure of $3 billion.
Now consider that most businesses
in this country are small businesses,
with not nearly the risk management
sophistication of the Fortune 1000.
Then consider a cloud interruption of
five days or more.
“Almost any company you talk
about today would rely to some extent
on the cloud, either to host their
website, to do invoicing, inventory,
you name it — the cloud is being used
across the board,” Stransky said.
“It’s a significant issue for insurers
and one we think about a lot,” said
Nick Economidis, an underwriter with
specialty carrier Beazley.
“Should a cloud service provider go
down, everybody who is working with
that cloud service provider is impacted
by that,” he said.
“Now, pretty much every software