Businesses in the US could lose US$15 billion if a leading cloud service provider were to experience a downtime of at least three days, says a new report from Lloyd's and risk modeller AIR Worldwide.
The adoption of cloud computing services is proliferating and with this trend cyber risk is also increasing. As more companies rely on ‘the cloud’ to operate, a select few providers have come to dominate the market. This reliance on a small number of companies creates the potential for systemic risk for service users.
The Cloud Down – The impacts on the US economy study analyses the financial impact of the failure of a leading cloud provider in the US for over 12 million US organisations and proposes an alternative approach to help insurers model such a risk. It sets out a ‘detailed accumulation’ modelling approach which provides a more accurate view of risk than standard market share based approaches - using industry exposure database records to identify relationships between vendors and insureds.
Cloud and cyber risks are known to be harder to assess, and model, compared to traditional Nat CAT perils, due to the complex and highly interconnected nature of the digital world.
The report found that an extreme cyber incident that takes a top cloud provider offline in the US for 3 to 6 days would result in economic losses of $15 bln and up to $3 bln in insured losses. Companies outside of the Fortune 1000 – who are more likely to use cloud provider services – would carry a larger share of the economic (63%) and insured losses (58%) than Fortune 1000 companies. However, the biggest 1000 companies in the US would still carry 37% of economic losses (and 42% of insured losses).
The top five economic losses by industry in the US for a cloud-based cyber incident would be the manufacturing sector, which would see direct economic losses of up to $8.5 billion; wholesale and retail trade sectors (up to $3.5 billion); information sectors ($846 million); transportation and warehousing sectors ($438 million); Finance and insurance sectors ($447 million).
Mr Trevor Maynard, Head of Innovation at Lloyd’s, said: “Clouds can fail or be brought down in many ways – ranging from malicious attacks by terrorists to lighting strikes, flooding or simply a mundane error by an employee. Whatever the cause, it is important for businesses to quantify the risks they are exposed to as failure to do so will not only lead to financial losses but also potentially loss of customers and reputation.”
According to Lloyd’s previous research with KPMG and DAC Beachcroft, services firms are particularly vulnerable to the reputational impacts of a cyber attack where service disruption can have an immediate effect on clients, leading to customer churn, loss of competitive advantage and loss of revenue.
Mr Scott Stransky, assistant vice president and principal scientist at AIR Worldwide, added: “A major cloud failure would significantly impact the insurance industry, and our research has shown that such an event is plausible. The findings from this report show that while the cyber insurance industry is growing, there’s still a significant gap in cyber coverage.
“We hope the report will help raise awareness across the industry as to how significant losses could be, how likely they are, and provide an opportunity for insurers to better understand and manage cyber risk. With proper models such as AIR’s, the industry will be able to grow the market by confidently writing more cyber policies. The goal is to make insurers and all organisations that rely upon cyber insurance more resilient if the cloud does go down.”
The Cloud Down report can be found here.