As organizations around the world increasingly rely on the cloud, the impact of a public cloud failure is something that insurance companies are now concerned about. A 67-page report released on Jan. 23 from Lloyd's of London and AIR Worldwide provides some insight and estimates on the potential losses from a major cloud services outage—and the numbers are large.
According to the report, a cyber-incident that impacted the operations of one of the top three public cloud providers in the U.S. for three to six days, could result in total losses of up to $19 billion. Of those loses, only $1.1 to $3.5 billion would be insured, leaving organizations left to cover the rest of the costs.
The new estimate on the impact of a catastrophic cloud outage isn't the first time Lloyd's has provided an insurance forecast for a cloud disaster. In July 2017, a joint research report from Lloyd's of London and cyber-risk analytics firm Cyence estimated that a global cloud shutdown could result in $53 billion loses.
Trevor Maynard, Head of Innovation at Lloyd's, explained that the July 2017 report titled "Counting the Cost" the calculated potential losses for the U.S., UK, Canada and the EU. The new report, titled "Cloud Down," focuses on the U.S., but in greater detail.
"The U.S. is an important cyber market for Lloyd's, it's the source of about 80 percent of our premiums, so further research and analysis around the impact of cloud disruption on U.S. businesses in particular is a natural next step in our research," Maynard told eWEEK.
There are also differences in the two reports in terms of how much downtime and recovery time are modelled into the cost estimates. Maynard added that the overall losses between the two reports are not directly comparable due to the reports different geographical scopes and the different ways the losses are calculated.
"The losses reported by Counting the Cost are for one hypervisor affecting many cloud providers. While Cloud Down estimates losses for the top 15 cloud providers in the US, which account for a 70 percent market share," Maynard said.
A best practise that is advocated by all public cloud providers is to use multiple availability zones and geographic regions, in order to help provide better resiliency against downtime. Maynard said that the Cloud Down report models a scenario where the service provider in question goes down in its entirety, i.e. in all regions around the world, but the financial impact provided is for the U.S. economy only.
Modeling Cloud Failure
Clouds can fail or be brought down in many ways. Maynard said that likely causes of interrupted cloud service include malicious cyber-attacks by external agents, errors by internal workers as well as hardware and software failures. The Lloyd's—AIR report provides four threat sources (environmental, adversarial, accidental and structural) and more than 30 additional vectors that could lead to a cloud service provider failure.
Among the most recent cloud outages was a disruption at the Amazon Web Services (AWS)-East data center that impacted the Simple Storage Service (S3) in February 2017. Some websites were impacted for up to 11 hours due to the disruption. The root cause of the S2 outage was a typo that was entered by a human operator.
From an insurance perspective, Maynard said that a cyber-insurance policy that covers non-physical business interruption and digital asset damage would mitigate the risks arising from a cloud outage.
"In case of a cyber-attack that brings down a cloud, providers' coverage could also include extortion, regulatory defense, breach response costs, security and privacy liability and legal expenses and reputational harm," he said.
Maynard explained that the overall purpose of the Lloyd's—AIR report is to increase insurers' and risk managers' understanding of cyber-risk liability and aggregation.
"Risk managers can use our scenarios to explore what impacts cyber-attacks might have on their core business processes, and plan what actions they could take to mitigate these risks," Maynard said. "Ultimately discussions around the necessary steps to take to mitigate risks need to happen between risk managers and the insurance industry."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.