A workshop hosted by cyber risk analytics specialist CyberCube and global independent think-tank the Carnegie Endowment for International Peace (CEIP) examined how a severe cyber event involving cascading impacts from cloud infrastructure could result in business interruption and data loss across many different sectors.
The conclusion was that such a multidimensional risk would require a multi-dimensional response. Some of the organisations that participated in the discussion are listed at the end of this document.
Risk management requirements
The attendees, which included (re)insurance industry executives, cyber security experts, cloud service provider representatives, governmental agencies and regulators also debated whether the systemic nature of the exposure means that some form of public-private partnership may be required in order to develop adequate risk management frameworks.
The widespread dependence on the cloud carries the potential for catastrophic losses, meaning that ‘government backstop’ mechanisms could form part of the solution to encourage greater availability of insurance. The cloud presents a complex and systemic risk. (Re)insurers and regulators need to assess the potential for severe events affecting the cloud in order to meet solvency and risk management requirements.
Cloud Service Providers
The key points from the workshop were:
- The primary challenge for risk management and insurability of cloud computing is that it presents a complex and systemic exposure. The assessment of vulnerabilities, dependencies and impacts are all characterised by major uncertainty.
- (Re)insurers recognise that they must develop solutions which accurately capture the risk associated with cloud computing. Their appetite to assume the risk is constrained by the high degree of uncertainty.
- Regulators are increasing their focus on cloud computing. In the realm of cyber security, dependence on third parties represents the most challenging area for regulated entities and regulators to measure risk and develop controls.
- The market concentration of Cloud Service Providers (CSPs) does present a new, increasingly salient, systemic risk.
Encountering serious challenges
Nick Beecroft, Strategic Partnerships Lead at CyberCube, said: “The dialogue revealed that stakeholders in (re)insurance and regulation are lagging behind and encountering serious challenges in catching up with the digital and business transformation brought by rapid growth of cloud services. This will mean harnessing the insights of cyber security experts, technology providers and regulators to create risk management mechanisms that will allow the cloud to achieve its full potential.”
Addressing these issues will require collaboration across many different stakeholders"
Ariel (Eli) Levite, A Senior Fellow at the Carnegie Cyber Policy Initiative, added: “Addressing these issues will require collaboration across many different stakeholders. This dialogue focused on the security, robustness and resilience themes, in particular the role of (re)insurers and regulators. There are serious risk management concerns arising from the aggregation of risk in a small number of CSPs; the opaque nature of security arrangements; and the growing threats (from natural occurrences as well as deliberate action by criminals and states) to cloud services and their supporting infrastructure.”
Risk transfer solutions
(Re)insurers need to accept the challenge of developing risk transfer solutions for cloud computing. The primary challenge for insurability arises through very complex supply chains where dependencies are hard to identify. The dominance of a small number of CSPs also presents the potential for concentration of exposure and a systemic risk.
Insurers must pay close attention to understanding their aggregate risk exposure arising through dependence on cloud computing. Regulators are stepping up their efforts to understand the cloud phenomenon, and increasing their scrutiny, but third-party dependency is the most challenging aspect of cyber security supervision. For regulators, there is concern that the increasing adoption of the cloud presents more uncertainty for risk management, especially on the nature of dependencies.
Receiving assurance of security
One area of focus going forward could be a requirement for regulated entities to receive assurance of security and robustness standards from third-party providers. CyberCube wishes to acknowledge the contributions of the following organisations. The views expressed in this document do not necessarily reflect the policy of any organisation.
- Bermuda Monetary Authority
- Carnegie Mellon University
- Connecticut Insurance Department
- DAC Beachcroft
- European Insurance and Occupational Pensions Authority
- Guy Carpenter
- Israel Ministry of Finance
- Israel National Cyber Directorate
- Munich Re
- New York State Department of Financial Services
- Prudential Regulation Authority, Bank of England
- Swiss Re