London, 28th October 2020 – A workshop hosted by cyber risk analytics specialist CyberCube and global independent think-tank the Carnegie Endowment for International Peace (CEIP) examined how a severe cyber event involving cascading impacts from cloud infrastructure could result in business interruption and data loss across many different sectors. The conclusion was that such a multi-dimensional risk would require a multi-dimensional response. Some of the organizations that participated in the discussion are listed at the end of this document.
The attendees, which included (re)insurance industry executives, cyber security experts, cloud service provider representatives, governmental agencies and regulators also debated whether the systemic nature of the exposure means that some form of public-private partnership may be required in order to develop adequate risk management frameworks. The widespread dependence on the cloud carries the potential for catastrophic losses, meaning that “government backstop”’ mechanisms could form part of the solution to encourage greater availability of insurance.
The cloud presents a complex and systemic risk. (Re)insurers and regulators need to assess the potential for severe events affecting the cloud in order to meet solvency and risk management requirements.
The key points from the workshop were:
- The primary challenge for risk management and insurability of cloud computing is that it presents a complex and systemic exposure. The assessment of vulnerabilities, dependencies and impacts are all characterized by major uncertainty.
- (Re)insurers recognize that they must develop solutions which accurately capture the risk associated with cloud computing. Their appetite to assume the risk is constrained by the high degree of uncertainty.
- Regulators are increasing their focus on cloud computing. In the realm of cyber security, dependence on third parties represents the most challenging area for regulated entities and regulators to measure risk and develop controls.
- The market concentration of Cloud Service Providers (CSPs) does present a new, increasingly salient, systemic risk.
Nick Beecroft, Strategic Partnerships Lead at CyberCube, said: “The dialogue revealed that stakeholders in (re)insurance and regulation are lagging behind and encountering serious challenges in catching up with the digital and business transformation brought by rapid growth of cloud services. This will mean harnessing the insights of cyber security experts, technology providers and regulators to create risk management mechanisms that will allow the cloud to achieve its full potential.”
Ariel (Eli) Levite, A Senior Fellow at the Carnegie Cyber Policy Initiative, added: “Addressing these issues will require collaboration across many different stakeholders. This dialogue focused on the security, robustness and resilience themes, in particular the role of (re)insurers and regulators. There are serious risk management concerns arising from the aggregation of risk in a small number of CSPs; the opaque nature of security arrangements; and the growing threats (from natural occurrences as well as deliberate action by criminals and states) to cloud services and their supporting infrastructure.”
(Re)insurers need to accept the challenge of developing risk transfer solutions for cloud computing. The primary challenge for insurability arises through very complex supply chains where dependencies are hard to identify. The dominance of a small number of CSPs also presents the potential for concentration of exposure and a systemic risk. Insurers must pay close attention to understanding their aggregate risk exposure arising through dependence on cloud computing.
Regulators are stepping up their efforts to understand the cloud phenomenon, and increasing their scrutiny, but third-party dependency is the most challenging aspect of cyber security supervision. For regulators, there is concern that the increasing adoption of the cloud presents more uncertainty for risk management, especially on the nature of dependencies. One area of focus going forward could be a requirement for regulated entities to receive assurance of security and robustness standards from third-party providers.
We wish to acknowledge the contributions of the following organizations. The views expressed in this document do not necessarily reflect the policy of any organization.
- Bermuda Monetary Authority
- Carnegie Mellon University
- Connecticut Insurance Department
- DAC Beachcroft
- European Insurance and Occupational Pensions Authority
- Guy Carpenter
- Israel Ministry of Finance
- Israel National Cyber Directorate
- Munich Re
- New York State Department of Financial Services
- Prudential Regulation Authority, Bank of England
- Swiss Re
CyberCube delivers the world’s leading cyber risk analytics for the insurance industry. With best-in-class data access and advanced multidisciplinary analytics, the company’s Software-as-a-Service platform helps insurance companies make better decisions when underwriting cyber risk and managing cyber risk aggregation. CyberCube’s enterprise intelligence layer provides insights on millions of companies globally and includes modeling on over one thousand single points of technology failure.
The CyberCube platform was established in 2015 within Symantec and now operates as a standalone company exclusively focused on the (re)insurance industry, with access to an unparalleled ecosystem of data partners and backing from ForgePoint Capital, HSCM Bermuda, MTech Capital and individuals from Stone Point Capital. For more information, please visit www.cybcube.com or email firstname.lastname@example.org
About the Carnegie Endowment for International Peace
The Carnegie Endowment for International Peace is a unique global network of policy research centers in Russia, China, Europe, the Middle East, India, and the United States. Our mission, dating back more than a century, is to advance peace through analysis and development of fresh policy ideas and direct engagement and collaboration with decision makers in government, business, and civil society. Working together, our centers bring the inestimable benefit of multiple national viewpoints to bilateral, regional, and global issues. For more information, please visit www.carnegieendowment.org
Maya Krishna-Rogers, Senior Media Relations Coordinator, Carnegie Endowment for International Peace
If you're looking for more information on CyberCube or on how to collaborate with us, feel free to get in touch with me directly.
I'd be happy to help!