On Tuesday, January 23, Lloyd’s of London co-published a report with AIR Worldwide highlighting the significant financial fallout that could occur in the event of a cyber incident or shutdown of a cloud computing provider in the United States, noting that losses could be to the tune of about $19 billion – of which only about $3 billion would be covered by insurance. The report calls attention to the rise in businesses’ integration with and reliance upon cloud computing services (particularly when fewer providers are gaining greater market share), and the rise in commensurate and systemic cyber risk and potential gaps in insurance coverage.
The report examined 12.4 million businesses that rely on cloud computing, ranging in industries from manufacturing to wholesale and retail trade to transportation, storage, finance and insurance. The report states that “[g]iven the state of the cyber insurance industry today, a cyber incident that takes a top three cloud provider offline in the US for 3-6 days would result in ground-up loss central estimates between $6.9 and $14.7 billion and between $1.5 and $2.8 billion in industry insured losses.” Among those businesses examined, the report states that smaller, non-Fortune 1000 companies would likely sustain the biggest losses. The report also noted that losses from reputational damage, customer trust and competitive disadvantage would significantly compound the consequences of such an incident.
The risk of cloud failures stems from the numerous ways in which failures could occur, from targeted malicious attacks to employee error – and criminal exploitation of employee error – and can result in loss of production data, limited access or inability to authenticate uses or other forms of interrupted service. From a cybersecurity perspective, it is important for both cloud providers and the businesses that use them to optimize infrastructure and design their system engineering architectures and incident response plans to be as resilient and aware of these risks as possible, and to consider the level of access cloud providers provide to their security and operations teams in the event of an incident.
From an insurance perspective, it is equally important for businesses that rely on cloud computing services to contemplate such risks ahead of time and incorporate them into their insurable risk management program, including adequate cyber coverage. Comprehensive cyber policies continue to evolve and may vary widely in scope from insurer to insurer. Some insurers’ policy forms include cloud computing coverage, but others will only add the coverage by endorsement and may require an addition application and underwriting process. Companies that have cyber coverage, or those considering placing cyber coverage, should identify their cloud computing and vendor-based risks and review any placed or proposed cyber policies to ensure that the policies will respond to those risks. Companies should further review the discovery and notification requirements of their cyber policies to ensure that timely notice will be provided.
Furthermore, policyholders should consider the ancillary effects, like potential follow-on litigation from customers or shareholders, when attempting to quantify the core risks outlined in the report. As noted by Lloyd’s and AIR, “cyber insurance is an emerging market that is outperforming most existing lines of business but this growth track can only be sustained if society’s understanding of the nature of risk continues to grow as well.” Thus, companies should review all other potentially applicable polices, such as directors’ and officers’ liability, business interruption and professional liability policies, to determine how those policies may respond in the event of a cloud computing incident. As organizations look to build comprehensive and effective cyber incident response plans while simultaneously increasing reliance upon external services like cloud providers, it is increasingly important to understand all available and necessary coverage as part of a thorough approach to mitigate risks that will only continue to grow.