The recent 15-hour or so outage at Amazon Web Services (AWS) again raised questions about the potential for systemic loss to the cyber insurance market, but loss
es from the temporary lapse in cloud services are not likely to be catastrophic.
The event was classified as a “moderate incident” for the insurance industry, said cyber analytics provider CyberCube.
“This AWS outage underscores systemic cloud services provider concentration risk. With disruptions extending 15
to 16 hours and most waiting periods in the 8- to 12-hour range, this outage could represent a moderate cyber (re)insu
rance event,” the firm said in a blog, which also used the outage as a reminder to review cloud-provider dependencies in portfolios.
Insurance may be impacted by system failure contingent business interruption (CBI) coverage, and there is potenti
al for incident response and data restoration costs, CyberCube added.
Related: CyberCube: Insured Loss Estimate From AWS Outage Likely About $40M
Jason M. Schweigert, vice president, forensic accounting at Sedgwick, said there are at least a couple of lessons from the event.
“Diversify your cloud platforms to avoid complete interruption when a provider has a problem,” he said, adding a
Watch More Image Part 2 >>>
review of policy language is in order to know coverage triggers and waiting periods.
Related: Amazon Says All Cloud Services Restored After 15-Hour Outage
For policyholders, insurance policies typically have waiting period
s (ranging from 8-24 hours) before business interruption losses can be tallied, from the start of the network disruption.
Ryan Griffin, a partner in the U.S. financial lines and special risk team at McGill and Partners, said the AWS outage will be
another “near miss” for the insurance industry, like the cyber events of CrowdStrike and Change Healthcare were, for the most part.
“But we can only have so many near misses without it becoming significant,” added Griffin, who is focused on cyber at McGill.
The concern may be less about catastrophic payouts than abou
t a slow erosion of confidence in products that policyholders find too complex or unresponsive.
“Until these polices become far more responsive from a business interruption calculation standpoint—whether we’re talking parametric or other mechanism
—it’s probably unlikely that there’s going to be a ‘big one,'” McGill said.
The take-up of parametric solutions has lagged and insurers are no
t adapting policies to include a parametric element, so clients are currently faced with a burdensome
insurance recovery. The proof of loss process is “not fun…they are no piece of cake,” Griffin explained. In fact, it can discourage some clients from filing a claim.
“We have this idea of coverage,” he said, “but when you actually try to recover and work through what’s required t
o recover under these coverage extensions, it’s a lot of work.” For many insureds, especially smaller businesses, the cost and
effort of recovery often outweigh the benefit. Meanwhile, Fortune 500 firms may weather short outages with minimal impact.
“I think that is the piece that we’ve learned from some of these more recent CBI claims,” Griffin continued. “By the time you tried to figure out [the impact]—with the retention
against that too—unless it’s truly material, [clients feel] it’s not worth it.”