Cloud Cover

How frequent or serious are cloud outages?

Almost every week with our monitoring services we see at least three or four events, but the severity of the events is very important to understand. It could be events that are very short, and it can be events that affect services that are not very important. When we define a severe event, we look into the duration of the event but also the service that went down. Some services are not mission-critical, but losing others like storage and computer services can really hurt clients. We’ve seen a lower frequency—usually once a month or two times a month—of events that really affect customers.

What is the cost of cloud downtime overall?

The cost of downtime or cloud outages is huge. It’s been estimated to be around $700 billion every year.

How much of that is covered by cyber or other insurance?

That’s a very important question. What we really see now in the contingent business interruption component of cyber policies are thresholds, waiting periods and exclusions, and things that are really creating a situation that is pretty bad for the clients but also pretty bad for the risk taker…. Carriers are very much exposed to the larger events, and they are taking the systemic risk, the bad risk, and not really getting the premium for that. On the other end, clients experience outages that could cause massive damages for their businesses, and they’re not covered for those services.…We identified this gap in the market that clients are willing to pay more premium and get more compensation that covers them for the outages that really happen.

Can you tell us about some of your own claims resulting from outages?

A few weeks ago, one of our clients, a cloud security company, and one of the leading ones, had an outage, and obviously when they go down, they can’t provide the service. As a security company, when they go down, they need to notify their clients; it’s very important for their customers to know they’re not being protected. We notified them, and after a couple of days we transferred the funds. But the motivation is not just getting compensated in case of outages. With this specific client, we are really helping them to gain more business—day-to-day that you can communicate to your clients that you have this coverage, and in the event that things do go south you have this safety net. A pretty big event happened late in January. Microsoft Azure, the world’s second-largest cloud service provider, went down for about two and a half hours. Thousands of businesses were affected in multiple regions. We identified the event immediately, and our cloud monitoring system triggered coverage. There was a pretty big event back in December 2021, which was a chance to stress-test our model. We managed to handle many clients at the same time, which is very important for us to really fulfill our promise when things go down.

Major insurers are increasingly concerned about the potential for widespread cloud outages at the dominant providers. What’s behind that?

They really need to be concerned. In the last couple of years, the acceleration of cyber (insurance) adoption has been pretty massive. It’s not just that more companies are depending on those (cloud) services, but also the book of the cyber providers has become very big. Now, the accumulation of that systemic risk that they have on their books is pretty big, and it’s not clear that they can really manage it on the scale that they have right now. Instead of leaning toward the risk and trying to quantify the risk, we see carriers pulling back and increasing waiting periods or capping the coverage to 72 hours, for example, or just excluding it completely from some cyber policies. We are not escaping from the accumulation. When we started Parametrix, we knew that this was a very important component in our product—that we need to manage the accumulation. We need to quantify the accumulation and provide and create technology tools not to avoid accumulation but to take the right risk based on a few factors, including the cloud infrastructure of the business to be insured, the coverage structure including policy limits, and overall it being a good risk to absorb in our portfolio. I encourage the whole industry to lean toward the risk and really understand it.

What trends are you seeing?

The gap in the insurance market is just getting bigger, with waiting periods getting longer, more exclusions, and restricted use of funds for specific losses—which don’t include customer compensation. It’s very important for brokers to communicate to clients exactly where they have a gap in their cyber coverages, what type of solutions can mitigate those gaps, and exactly how much coverage they have. The carriers are shying away from the risk. I think it’s the opposite direction that they need to go. All of the systemic risks that they are experiencing are because they are dependent on historical data—things that happened in the past. As a new type of coverage and a more tech savvy company, we look at the present. We have the capability to monitor the risk, adapt the model to the risk that we see on a day-to-day basis, and we open our doors to more carriers to partner with us to offer this type of coverage.

Can you tell us about the monitoring service?

We serve more as a monitoring company that provides insurance than an insurance company that provides monitoring capabilities. All of our data, all of our capabilities are based on our monitoring services. It’s also the trigger for our policies. Our monitoring services detect outages down to the millisecond level. And once events have been detected, we notify our clients.

What are the main damages from outages?

Obviously, it can be revenue loss. If they’re doing web transactions, if they go down, they have immediate loss. We are insuring trading operations and travel and flight-booking marketplaces. We’re insuring airlines. If there is an outage event, all of them are losing revenue. They also have a huge component of customer compensation. This is a very important damage that is not covered by other policies. For some businesses that provide software, the majority of the risk and the loss will be service-level agreement liabilities. They promise to fulfill a specific percentage of up time, and if for any reason they are not able to, they need to compensate their clients. There can be penalties as well. A very important value that we provide to our clients is the use of funds. One of the reasons for loss is customers’ compensation, and traditional insurance doesn’t allow [policyholders] to use insurance funds to compensate customers. For some companies, [customer compensation] is 90% of the damage. With the parametric approach, once the policy is triggered, they know exactly how much they are going to get, and they can use the funds to compensate clients for any operation loss, revenue loss, everything they can think of, including service-level agreement liabilities.

Where does parametric coverage fit in for cyber outages?

For the clients, the key value point that we provide is that everything we do is completely transparent, so they know exactly how much money they are going to get in the case of an outage. We work with the client’s brokers to determine how much money the client is going to need in case of an outage, per hour. We have customers who have seasonality, they need more coverage in specific months or even specific hours or a specific amount for a specific event. Clients in the gambling industry, for the Super Bowl, may secure a very big and large coverage, but for the rest of the year, they need much lower coverage. This is how we can adjust our coverage to the clients’ needs. Also, it’s very important for our clients to know exactly how much money they are going to get and to get it fast. We are insuring public companies that need to get compensation in the same quarter, otherwise it’s going to hurt their quarterly report, and all of them mention this type of risk in their 10-K reports. Our approach is everything is pre-agreed, everything is clear. We can treat the customer very quickly, give them the compensation. On our side, we can quantify the risk, and we know how much we are exposed every given minute, what’s our appetite, how we can extend and create a more stable pool, what direction we need to take the book. Using the parametric model, we have the ability to address a large number of clients experiencing an outage at the same time. What’s going to happen to a big carrier if there is a huge outage of one of the most used cloud regions of more than 12 hours and they have thousands of customers that file claims? How are they going to handle that? There’s not enough TPAs in the U.S. to provide the right claims process.