The digital supply chain is invisible. It operates in the background but is essential to the day-to-day functioning of most businesses. As data is increasingly transferred through extended global supply chains, and threat actors look to exploit vulnerabilities through single entry points, organisations need to manage and mitigate exposures in a fast moving risk landscape.
Uptime and innovation are two things that don’t coexist. Innovation developed by humans comes at the expense of downtime.
Companies are already at 99.999% uptime and anything higher than that would mean that they aren’t innovating, which is something that they must do in order to remain competitive
This means there will always be new services, a new payment system, a new cloud service, and humans are part of these processes. Human error is the leading reason for downtime so there is always going to be downtime and insurers & insurtechs will always have a business.
Which vendors and events pose the biggest single point of failure risk?
The cloud services market is highly concentrated, with about two-thirds of global supply provided by three companies: Amazon Web Services, Microsoft Azure and Google Cloud Platform.
These companies tend to report only major disruptions to their services, yet hundreds of performance interruptions occurred in 2021 and 2022 at a monthly average of 25. In other words, the cloud goes down almost every day.
The drive for innovation in the hosting sector comes with trade-offs: it is difficult to maintain uninterrupted service when new technology is constantly being rolled out (see How will Technology Impact Insurance? 16 New Technology Trend Evolution). Despite cloud providers’ investment in data centre resilience, downtime can occur due to an array or blend of issues around software, hardware and infrastructure.
Causes of critical cloud outage events
The most common reported cause of outages last year was human error, including misconfiguration and faulty maintenance activity.
This really matters as downtime can cause considerable financial and reputational damage to companies.
What are the main exposures for companies in the event of a major outage?
Companies should consider five main risks arising from a major outage. The two most obvious are financial and reputational risks. An outage can shut down critical sales channels at any time, preventing customers from initiating a purchase.
Some may come back to the affected brand, but others will seek an alternative and never try again, leading to current and future financial loss.
According to Corporate & Business Risks Radar, brand is at the centre of the reputational risk. Social media is fertile ground for sharing negative sentiment, and drives customers to look elsewhere for available services. Nearly 40% of small businesses have reported that they lost customers due to downtime.
Then there are legal, operational and fulfilment risks to consider. Legal risks can arise when contractual obligations are missed or when shareholders or regulators pursue action due to underperformance or lacklustre customer service.
Operational risks include lost productivity
Most companies rely on the cloud for file use and management, communications, development and other key operational functions, meaning the internal costs from downtime, an idle workforce in particular, are considerable.
Finally, missed service level agreement thresholds present fulfilment risks. Many businesses are contractually obliged to provide certain services within a specific period, but may find fulfilment impossible in the event of an outage.
In combination, the risk in some circumstances can be large to catastrophic. We estimate that an outage on the U.S. east coast which lasted 24 hours could cause an insured loss of USD 10 billion.
Are certain sectors and geographies more exposed to outage risk?
Leading companies have begun to map and understand the potential effects of cloud outages on their businesses. Impacts vary dramatically depending on their profile. Technology companies that supply software, platforms or infrastructure as a service are particularly vulnerable because their core activities cease when cloud services are down.
Slightly less immediate, but no less severe, would be the outcome of a six-hour plus outage to a major airline, where the interruption to various systems that facilitate flight would cause cancellations and severe delays, and could take more than a day to recover.
At the other end of the spectrum, companies that require less sophisticated technology to operate, such as manufacturers and traditional retailers, are unlikely to be as badly affected. Exceptionally extended outages may nevertheless have an impact on inventory management, which could lead to severe loss of revenue.
Geographical split of critical cloud outage events
The remainder of critical events were split evenly between Europe, Asia and the rest of the world. Put simply, cyber supply chain risk is something that companies operating in all sectors and geographies need to measure, manage and mitigate.
AUTHOR: Jonathan Hatzor – CEO at Parametrix Insurance