Understanding cloud dependency is vital for writing cyber policies
Single point of failure incidents and supply chain attacks underscore the need to truly gauge the end-to-end cyber risks of an organization and its vendors.
With more companies turning to cloud computing to provide core services and products to meet the needs of global consumers, assessing the systematic risk those connections pose as well as the relationship between policyholders and the cloud will be vital for future cyber policies, according to a report from CyberCube.
Additionally, some underwriters name specific cloud service providers in policies by scheduling or endorsing them in policy language. This type of activity is anticipated to increase in abundance moving forward.
As more and more organizations becoming dependent on cloud computing from suppliers, the possibility of having to deal with a “single point of failure” (SPoF), or the downing of one of these services, increases. A single SPoF event could potentially impact millions of customers. Underscoring this threat are the wave of service outages seen worldwide during the past six months from major cloud providers, including Microsoft Azure and Amazon, the cyber risk analysis and modeling company reported.
“These events demonstrate how cloud providers can act as SPoFs in the event of an incident that causes an outage impacting many related services with large user bases,” Charlotte Anderson, senior cyber risk analyst at CyberCube, said in a press release. “Increasingly, underwriters will need to take these dependencies into account when underwriting cyber cover.”
To this end, CyberCube developed a SPoFs database, which allows insurers and reinsurers to create products with terms and conditions tied to specific points, including data centers and cloud providers. This can help inform underwriting by highlighting exposure to SPoF-driven risks and help clarify potential exposure and claims arising from SPoF incidents.
CyberCube also pointed to the growing risks around supply chain attacks as an issue insurance companies should keep in mind.
“Factors driving the increased exposure to supply chain cyber risk for businesses include the growing integration of new Internet of Things (IoT) devices and the blending of personal, public and workplace networks as we experience a movement away from the traditional corporate IT network perimeter model,” Anderson said. “In addition, the proliferation of complex global supply chains with exposure in both physical and digital realms will provide further opportunities for disruption.”
When assessing a portfolio of catastrophic risk, insurance professionals should focus on the extent a policyholder is reliant on a single or small handful of suppliers. A business’s approach to identity access for third-party vendors and the overall security culture of the organization should also be weighed as critical factors, CyberCube reported.
Related: