Business interruption risk is undoubtedly one of the biggest concerns facing both individual organizations and the cyber insurance industry as a whole, but Parametrix has chosen to manage this risk with a unique parametric insurance product.
The Supply and Value Chain – Redefined
Some veterans in the insurance industry may remember that, in the past, supply chains depended on brick-and-mortar banks, safety deposit boxes, and special security protocols for delivering cash to bank branches. But as these processes have become increasingly replaced with digital platforms, and IT reliance has increasingly grown, supply chain risks have shifted from bank branch and transportation security measures to a more digital landscape. Today, if digital payment functionality fails, a business is inoperable for the period of this outage.
“91% of the businesses increased their cloud usage during the pandemic”
In addition, this shift to digital has also meant that the value chain has evolved. A modern business today is likely to rely on several third-party service providers to serve its customers – service-hosting on Google Cloud, Facebook for marketing and authentication, Salesforce for customer relationship management, and so on. Each of these third parties generates revenue for the businesses that use them, by enabling that business to run as efficiently and smoothly as possible.
This creates a long chain of influence – if the one-third party suffers an outage, the knock-on economic effect on today’s value chain can be far-reaching. In 2021, the total spend on cloud-based services reached $400 billion; the value generated by this spending in revenues must be astoundingly higher.
Cloud downtime is the fastest growing risk for businesses
A growing dependency on rented, cloud data services such as Azure or Google (rather than in-house, self-built data centers) has correlated with increasing incidents of large-scale outage events worldwide.
Watch the recording of Haran’s Masterclass for a breakdown of the more recent outage events that have been reported in the news.
What downtime means for customers
Given the extent and frequency of these outages, many of these cloud service customers have recognized the risk of outage and the impact it could have on their business – including unplanned service disruption or unforeseen costs which could result in material harm to operations. The risk of third-party claims due to these outages is also huge. For example, Azure serves 95% of the Fortune 500 companies – the damage of a Microsoft service outage could be immense.
What insurers are doing about Dependent Business Interruption Loss
Insurers typically term this risk as ‘dependent business interruption loss’ or ‘continuous business interruption’. This covers loss sustained by the insured due to a dependent security breach. In other words, this loss could arise following a cyber attack that impacts a third party or a dependent system failure during the policy period. The loss itself could include income loss, the net profit that is lost, fixed costs that were consumed during the outage period, or a combination of all of these.
Typically, however, insurers will seek to limit the coverage to the extent that such operating access must necessarily continue during the period of resources – in other words, a business with employees should consider sending those employees home until the outage has ended. There will be other limiting factors – short outages (up to 12 hours), for example, will normally be excluded. This year, some insurers have extended this coverage to 48 hours or have added additional carve-outs to their policies, making it even harder for affected insureds to bring a claim.
There will also typically be some exclusions, such as legal costs and third-party liabilities. This means that the compensation available is still limited, should an insured be able to bring a claim.
The Origins of Parametric Insurance
The answer to this problem, as Haran has discovered at Parametrix, is parametric insurance policies. Parametric insurance models were originally designed to deal with catastrophic events and weather events, such as earthquakes and hurricanes. In this respect, it was quite clear that parametric events needed a very clear index and very clear triggering event, in other words: was there, or wasn’t there an earthquake above a certain force, rather than was there or wasn’t their damage? Once such parameters were defined, insurers could pay the insured a pre-agreed sum. Therefore, parametric insurance models depend largely on clear triggers, indexes, and pay-out structures.
Parametric insurance for cloud downtime
Parametric insurance for cyber outages will depend on close monitoring of cloud-based services around the world. To tackle this, Parametrix has therefore developed its own technology to operate alongside its parametric policies, installing 250 monitoring stations in various data centers around the globe, conducting more than 700 million tests with 50,000 different metrics to produce accurate reports on the performance of these service providers.
How parametric insurance policies for IT outages are issued
Haran outlined some key steps to issuing a policy:
- Define the pre-agreed coverage (how much compensation will be due to the insured per hour of downtime) according to the insured’s IT architecture.
- Set clear trigger events that would constitute a cloud outage.
- When the first two steps are fulfilled, the insured receives compensation on a relatively automatic basis, usually within 15 working days, according to the pre-defined payout structure.
Watch the recording of the Masterclass for a simulation of the Parametrix product. Sharon Haran leads the participants through a full demo of the parametric insurance product which they employ, including how any adjustments are made.
The data generated from the Parametrix monitoring system suggests that some service providers are more reliable than others. Therefore parametric insurance providers like Parametrix differentiate in pricing between different regions and different providers. Due to the extensive monitoring and testing carried out by Parametrix, there is no coverage today for the more frequent attritional cases of an outage. Therefore, quite often, there is a very transparent determination of the insurance payout once the threshold is met, providing certainty both to the insurer and the insured and cutting out the need to negotiate and without needing to navigate any restrictions on how the compensation payment is used.
The key point to remember about applying parametric insurance models to cyber rise is that business interruption due to a third-party IT outage is one of the fastest growing risks faced by any organization and it must be addressed swiftly. Cyber insurance professionals should familiarise themselves with parametric models, as these can support the flexible use of funds and provide a straightforward clearing process that eliminates the hassle for both insurer and insureds.
Watch the full recording of Haran’s Masterclass by filling in the form. Make sure to follow our social media for updates on future Masterclasses, Panel Discussions, and other cyber insurance events.