Cloud outage risk can be diversified, risk transfer still key: Aon & Parametrix

cloud-storage-hosting-cyber-insurance

Analysis from broking group Aon and Parametrix, a specialist in parametric cloud downtime cyber risk transfer, shows that it is possible to gain diversification within cyber portfolios that have cloud outage risk concentrations, with geography one way to achieve that.

Recall that cloud outage risk is one of the main systemic exposures in the cyber insurance and reinsurance marketplace.

For those focused on possible aggregation risks within cyber portfolios, cloud providers have been an area of growing focus.

This is driven a specialist market in cloud outage cyber risk transfer deals, which is where Parametrix focuses its efforts.

That company modelled the risks and acts as the parametric trigger reporting agent for reinsurer Hannover Re’s innovative privately placed $13.75 million Cumulus Re (Series 2024-1) parametric cloud outage catastrophe bond.

Parametrix also recently secured a $50 million parametric cloud outage cover for a US retailer, with backing from a range of re/insurers.

Which has helped to demonstrate both the demand for cloud outage protection, as well as how a parametric solution can be effective and even be securitized and backed by capital market investors.

As this segment of the risk transfer market grows, which seems inevitable given the exposure to cloud hosting providers and cloud-based software solutions is rapidly expanding, identifying how the cyber re/insurance market and those supporting such deals with risk capital can effectively diversify their exposure is key.

Rory Egan, Head of Cyber Analytics at Aon’s Reinsurance Solutions division explained, “Large cloud providers such as Amazon Web Services and Microsoft Azure are increasing in systemic importance, as organizations across the globe from all industries migrate business processes and data to the cloud, and software applications are increasingly cloud-based.

See also  'North Korean fake employees are everywhere'

“Therefore the market-leading cloud providers understandably are a focal point for cyber aggregation risk managers. However, there is an opportunity to go beyond overly simplistic and conservative approaches when estimating exposure at risk, and potential losses stemming from cloud infrastructure outages.”

Explaining the rationale for the research, Egan added that, “By shedding light on how utilization of cloud infrastructure varies across the globe, this paper intends to help cyber (re)insurers credibly allow for the effects of diversification and redundancy when determining their exposure to cloud-related loss scenarios and optimizing their portfolio mix.

“With this research, we aim to increase confidence among (re)insurers to grow their cyber exposures through improved portfolio risk management. In turn this can increase the availability of risk capital and value of risk transfer solutions for organisations facing cyber risk, which is beneficial for the increasingly digitized global economy.”

Aon and Parametrix’s research found that portfolio risk of systemic cloud outage events can be reduced through geographical diversification.

It explains that, “The unique nature of cloud service delivery means that regionality plays a role in systemic loss events.”

Parametrix Analytics analysed Aon’s Global Industry Exposure Database, covering roughly $8 billion of cyber risk premium, meaning that the work covers more than half of the estimated global total.

Using its proprietary portfolio scanning and infrastructure analysis tools, Parametrix assessed the performance and interdependencies of critical third-party digital services among this representative group of actual businesses, the pair explained.

Summing up the findings as, “It shows how losses arising from cloud outage events can be diversified within large (re)insurance portfolios. A significant level of diversification can be achieved by underwriting portfolios of company risks that span continents, or are geographically distanced within the same continent. However, writing a portfolio which covers companies of varying sizes, but within the same continent, delivers less diversification.”

See also  Expect more competition in the tail, property cat rates to soften: Aon execs

As cloud outage and related critical software and services exposures grow in the insurance and reinsurance market, it is to be expected that an increasing number of cloud outage specific risk transfer deals will be entered into, some of which will likely find its way to the capital markets.

Because of that, research that helps to demonstrate how portfolios of cyber risk can be diversified is an important input to growing the ILS market’s appetite for cyber risks in general and cloud-related risks specifically.

There are points of risk concentration, such as some of the major Amazon Web Services cloud infrastructure hubs.

The research from Aon and Parametrix states that, “Since diversification will not fully address the risk posed by accumulation of exposure to AWS us-east-1, other risk management actions are called for.”

One of these risk management actions is risk transfer, so reinsuring exposure to a cloud region of concentration, but the pair also highlight risk avoidance within portfolio management and risk mitigation for the insureds themselves, as both equally important options.

“In the past few years, the cyber (re)insurance market has focused on identifying and quantifying cyber aggregation events,” Crystal Boch, US Head of Cyber Analytics at Aon’s Reinsurance Solutions said. “We’ve made a lot of progress in this area and have highlighted the detrimental impacts these events could have on the industry and the economy, recently demonstrated by the CrowdStrike outage. There has been less focus on how insurers and reinsurers can diversify their exposures to mitigate the effects of these events on any one portfolio, this paper aims to make headway in this conversation.”

See also  When cyber risk meets healthcare

Sharon Haran, Head of Parametrix Analytics, explained, “The mainstream belief has been that diversification of cloud risk was almost impossible to achieve. However, our portfolio modeling uncovers the clear advantages to be gained by writing a portfolio that spans the globe. We now know how to help our risk carriers manage one of the two key systemic cyber risks.”

“We have been collecting data about the cloud and how companies use it for more than five years,” Haran continued. “By infusing Aon’s Global Industry Exposure Database with our own understanding of companies’ cloud behavior and reliance, we have distilled some concrete insights into the potential for cloud diversification.

“These key insights equip the industry with the tools needed to identify and transfer the risk, through advanced reinsurance solutions and ILS transactions.”

Print Friendly, PDF & Email