CyberFeature

Insuring the Cloud

Insuring the Cloud

By Michael G. Malloy

Parametric insurance is filling a gap to protect against web downtime

In the brave new world of the “metaverse” and online platforms that never sleep, businesses and individuals alike face the prospect of system crashes and outages that can lead to downtime for anywhere from a matter of hours to days or even weeks, potentially costing companies time, money, and customers.

“Downtime insurance covers digital businesses affected by business interruption losses caused by the downtime of their cloud providers,” said Laurent Sabatié, an actuary and co-founder and executive director at London-based Skyline Partners, a U.K.-based parametric specialist. The company enables brokers, agents, reinsurers, and affinity partners to differentiate with parametric solutions, providing them with capabilities and a catalogue of indexes and settlement technology to create and administer portfolios of parametric insurance products.

The Wall Street Journal reported early this year that Cisco Systems company ThousandEyes, which analyzes outages and downtime, noted that cloud outages increased by just 3% last year compared with 2020, although the number of outages lasting 30 minutes or longer nearly tripled.[1] ThousandEyes’ analysis of seven major outages in 2021 included big web players like Amazon Web Services (AWS), which had two of the seven, along with Facebook and Comcast, with outages lasting from 45 minutes to several hours or more.

AWS, the largest cloud-computing service provider in the U.S., had a 45-minute outage in December that affected several West Coast hubs at the start of the workday, according to ThousandEyes.[2] AWS had an even bigger outage in earlier that month—lasting more than an hour, the disruption caused user-impacting issues across several key services, including AWS Console, Amazon Prime Now, and Amazon Pharmacy, the ThousandEyes report stated. It also affected many services that rely on AWS, including devices such as Roomba and Ring, and hit big streaming services like Disney+ and Netflix.

Parametric concerns

According to the National Association of Insurance Commissioners, parametric insurance describes a type of insurance contract that insures a policyholder against the occurrence of a specific event by paying a set amount based on the magnitude of the event, as opposed to the magnitude of the losses in a traditional indemnity policy.[3] An example would be a policy that pays $100,000 if an earthquake with magnitude 5.0 or greater occurs. The amount of payment, the parameter, and a third party responsible for verifying that the parameter was triggered must all be specified in the contract.

According to Dallas-based software development company 7T, even with a track record of 99.99% uptime, the cost of that 0.01% of downtime can be tremendous.[4] The company a survey by Gartner revealed the following figures about the cost of IT downtime:[5]

  • The average per-minute cost is $5,600.
  • The cost per hour ranges from $140k to $540k, with $300k being the average.
  • 98% of companies estimated their per-hour downtime cost at $100k+.
  • 81% of companies estimated their per-hour downtime cost at $300k+.
  • 33% of companies estimated their per-hour downtime cost at $1 million to $5 million or more.

In the context of downtime and insuring the online world, one insurance executive called downtime insurance a complement to a cyber policy—one that bridges the gap between the two. There are some limitations within business interruption portions of cyber risk insurance policies, said Joe Weipert, a South Dakota-based senior vice president with ComTech-Leavitt Insurance Services. For example, cyber policies often have waiting periods of eight hours to as much as 24 hours or more for coverage to kick in, he said.

“It’s a risk management tool,” Weipert said. “For a lot of companies that rely heavily on the cloud, that could wipe them out in a few hours. This coverage is really intriguing to me because those companies that are heavily reliant on the cloud could have downtime, and it makes them vulnerable. This is a solution to protect them.”

He said that as companies evaluate their exposure, gaps in exposure are not always well understood. If a company is in a contract with AWS or another large cloud provider that experiences an outage resulting in downtime, “they’re not going to take care of it” in all cases because of contractual waivers, Weipert said.

“The challenging part is how do you get that information out to the client, when it’s difficult for them to understand what the exposure is, and then say, ‘Here’s a way to protect yourselves,’” he said. The idea for such coverage is “fantastic,” though he noted that the key is to “keep it as simple as can be,” adding that in the realm of the cyber world right now, there are a lot of companies that don’t fully understand their exposure, especially due to waiting periods.

For actuaries, “it’s a bit of a big unknown, simply because there’s not a lot of data out there on downtime,” Weipert said, adding that exposure events vary by time.

Downtime insurance, like cyber, “is still in its infancy, and the tail is catching up to the rest of the dog,” he said. “Where this goes is a bit unknown, so when you’re trying to understand where it’s going, there’s not a lot of raw data out there to determine if it will be a real problem, or could it be a steady, predictable model.

“It’s a great risk management tool—whether it sticks around, I’m not sure,” he said. “I think it will if it can survive through the marketing portion of it. There’s going to have to be some people who take some hits and have their coverage kick in to really show an example of why you need it.”

Parametrix fills a gap

The main player in the downtime insurance space is Parametrix, which formed about three years ago and is based out of New York and Tel Aviv, Israel. It insures companies with parametric insurance, which is triggered by cloud downtime, and has a one-hour waiting period, unlike the 12 hours or more that are often the standard in cyber or business interruption insurance plans.

“Parametrix essentially has created downtime insurance,” said Neta Rozy, the company’s co-founder and chief technology officer. “When the cloud or cloud applications go down, that’s a risk that businesses and enterprises can financially protect themselves against.”

The company has built a real-time system that monitors availability and performance of the cloud, and its technology allows it to recognize the moment that goes down, Rozy said, adding that most businesses rely heavily on the cloud—often one of their biggest expenses—and the size of the risk is only growing. The company is backed by several top reinsurers and by Lloyd’s of London.

Because there are different types of risks associated with technology, Rozy said that while cyber risk insurance covers damage from cyber incidents, such as hacking, downtime is often not due to a cyber incident—it can be caused by human error or service providers having issues unrelated to a hack or cyber attack. Downtime insurance covers damages from incidents for any reason, with human error being one of the most common. So cyber and downtime insurance, while related, are two different categories, she said.

“Our downtime insurance is parametric, which means it essentially has no claims process and can cover intangible damages as well,” Rozy said. “Downtime doesn’t often have a receipt attached to it—sometimes it is things that are harder to put a number on, like brand recognition that wouldn’t be covered under traditional insurance.”

While the company started about three years ago, its database goes back about 10 years, said Rozy and Parametrix Vice President, Insurance Product & Actuarial Daniel Benjamin, who is an actuary.

“There is a lot of data that this is based on,” said Benjamin, who is originally from Canada. “As in any [actuarial] area there’s judgment, and possibly a bit more than pricing auto or personal property insurance. … For example, the technology has changed over the past 10 years of experience and there are potential extreme events that we haven’t seen, so there is judgment there in applying traditional technical actuarial techniques,” he said.

“We’ve created monitoring systems that monitor the clouds directly and on a global level,” Rozy added. “This is proprietary data to Parametrix that the pricing is based on, so it’s actually much more granular analytics and models … because they’re based on real-tech data that we’ve generated.”

Companies were moving to the cloud even before COVID-19 started two-plus years ago, but there was an acceleration during the pandemic because many companies accustomed to working in their local environment had to figure out how to allow for more working from home, and a lot of that was via third-party services, Rozy said.

“The cloud is built out of many data centers,” she said, adding that with multiple data centers involved, there’s the potential for a growing number of outages. The growing use of “metaverse” experiences also factors into downtime questions, with metaverse service providers at risk of having downtime for their users, she added.

“If we’re talking about the metaverse, these risks are not going away but are increasing,” Rozy said. “We say that downtime is inevitable. It’s a matter of how a company manages its risk in general—if they want to retain that risk on their balance sheet, or find a way to export that. As more companies adopt third-party services, we’re going to see that risk only growing. … Today, the biggest asset for any tech company is their digital asset and that’s definitely something that needs to be insured.”

She added that availability of a product and cloud downtime risks are noted on most companies’ 10-K financial disclosure forms. “The reason we were able to produce this is because of the technology we created,” she said. “We gathered data no one else had that’s targeted for insurance purposes, that actuaries need in order to be able to define and price this sort of product.”

Parametrix offers coverage which is specific to the technology platform, Benjamin said—an approach that would require, in the context of the metaverse for example, providing insurance which explicitly focuses on and names the components on to be insured.

The company’s four actuaries do a lot more than traditional actuarial work, Benjamin said—they work with product design, and engineering and business teams, to essentially create a new insurance product.

“It started from product design, especially because it’s parametric insurance,” he said. “The payout is a formula, so it’s tied up with insurance losses from a certain event. When constructing a policy design, it’s also about finding a precise wording that’s going to describe what the policy will pay out. We did have lawyers review that and keep us honest, but the first design was usually done by actuaries.”

The actuaries work with the company’s engineers to convert technical data and technology into what translates into insured events under contracts, and converted data into an understanding of how that triggers insurance and how the data is interpreted. Actuaries do traditional pricing work as well as stochastic modeling of the risk, Benjamin said.

“Probably the most interesting aspect of the actuarial work is the stochastic modeling,” he said. “We’ve developed a model that’s the basis for taking our technology to the insurance and capital market, to help carriers who take the risk for our product to manage that risk. I’m surprised in the three years since we started how much actuarial work has been done here.”

Case studies

A case study by Lloyd’s stated that Parametrix’s business interruption policy covers companies when business-critical, cloud-based services go down, noting that such events often lead to a loss of access to third-party services such as cloud computing and storage. “The ability to manage and offset the cost of downtime risk is vital for many small and medium companies reliant upon cloud-based services for sales, customer service and many other critical operational functions,” the case study said.[6]

Skyline’s Sabatié said his company has several parametric products globally—including protecting farmers in Jamaica from extreme weather events, and dairy farmers in Europe from cattle losses due to heat stress—and is also looking at cyber parametric products more widely. Skyline has a cyber data provider and a London-based managing general agent to launch an index-based product covering the intangible losses of publicly listed companies as a result of cyber perils, he said.

The NAIC noted the utilization of parametric insurance triggers provides faster liquidity, and cited as an example the Caribbean Catastrophe Risk Insurance Facility, a catastrophe fund primarily for Caribbean governments that insures against hurricanes and earthquakes, which was developed in 2007, is supported by multiple governments, and has paid out almost $250 million to 16 Caribbean governments since then.[7]

Asked about actuarial aspects of parametric insurance, “The dynamic nature of cyber makes this exercise very difficult,” Sabatié said. “Pricing-wise, I am not sure how much time they have had and how they are assessing frequencies. There are also systemic aggregations by design, due to the limited number of cloud providers potentially causing large-loss aggregations for carriers to monitor carefully.”

Carriers—and actuaries. Because as this product line develops from its infancy, it’s reassuring to know that actuaries are being involved throughout the lifecycle.

MICHAEL G. MALLOY is managing editor for member content at the Academy.

References

[1] “Startup Sells Insurance Coverage for Cloud Outages,” The Wall Street Journal, Jan. 27, 2022

[2] “Seven Outages That Shook Up 2021,” Thousand Eyes, Jan. 6, 2022

[3] “Parametric Disaster Insurance,” NAIC, updated Feb. 24, 2022

[4] “Does Your Business Need Cloud Downtime Insurance to Protect from Losses?” 7T

[5] “The Cost of Downtime,” Gartner, July 2014

[6] Parametrix case study, Lloyds Lab, 2022

[7] https://www.ccrif.org

print
Next article Our Resilience
Previous article Workers' Comp and Opioids—Time for a Checkup

Related posts