The recent CrowdStrike outage highlighted the critical importance of robust insurance coverage for IT downtime. The fall-out serves as a useful case study in systemic cyber risk and its management – a topic that Parametrix co-founder and CEO, Jonathan Hatzor, is fascinated by. Launched six years ago, Parametrix creates cutting-edge tools and models that enable companies, insurers, and reinsurers to quantify, manage and transfer their exposure to cloud outage risk with unparalleled accuracy. CIR caught up with Jonathan to talk about how the changing face of cyber insurance, and how Parametrix is making waves in the market.
Your own analysis of the impact on Fortune 500 companies of the recent CrowdStrike outage shows that, while the incident is significant and likely the largest cumulative event in cyber insurance history, it was not the worst. As organisations rely increasingly on the cloud, how are insurers responding to the risk?
It varies. Insurers want to give their clients the protection they need, but many fear a cyber catastrophe, so some exclude risks like a sustained cloud outage under even significant cyber protection programmes. We did some work a while back that showed that 93% of cloud outages lasting between two and 12 hours were uninsured under conventional cyber policies. Few adequately cover dependent business interruption losses arising from problems that someone else in the digital supply chain might be having. We have dedicated outage products, and take-up is increasing, but we still see a big coverage gap.
When the relevant cover – dependent non-damage BI cover – is granted under non-specialist cyber policies, or sometimes as silent cyber risk under property market BI, the insurers rightly fear accumulation risk. It’s a genuine concern.
Our data, which we have collected for more than five years now, shows that the ‘everything-goes-down-globally’ scenario is not realistic, but a big event could still be very much worse than CrowdStrike. Insurers are looking for reinsurance to protect their book, and we’re working with our partners to solve that challenge, which will help them offer protection to their corporate clients.
Insurers are good at helping companies understand and avoid risk. In business, continuity is definitely better than interruption, even if the interruption is followed by an insurance claim that’s paid fast. We hope our analysis helps businesses and their insurance brokers understand the exposures, and avoid the losses to begin with.
While the primary sources of systemic cyber risk may be service providers, recent Parametrix analysis shows that accumulation risk is avoidable to a degree as the impact varies greatly among different industries and segments. How might this finding change the cyber reinsurance landscape moving forward, and, in turn, the primary market for cyber?
It could mean that some carriers are willing to offer more total cyber limit that includes potentially systemic cloud risks. But the key words in your question are “to a degree”. Diversification cannot eliminate catastrophe risk. However, it can help reinsurers understand and reduce systemic exposures within their very large portfolios, which can allow them to ease reinsurance coverage restrictions and exclusions. That in turn can widen the coverage available to insurance buyers.
On a different note, understanding cyber risk more completely – especially at the level of industry sectors and segments – is a big benefit of the work we have done. It can help companies better understand their own potential exposures, and their severity, so they can make informed, risk-based decisions. They might want to invest in service provider redundancy, for example. Or they may develop other operational procedures that allow business to carry on in the absence of digital services.
We’ve seen businesses grind to a halt because a cloud outage has taken down their employee scheduling system. If that’s a risk, they need a contingency plan. After all, they probably have a legacy system, perhaps involving paper, that did that job well enough a few years back. If they know the risk is real, and see its potential severity, they can keep the knowledge of that old analogue system alive, and bring it out when necessary.
You recently announced your support of Hannover Re’s first ever parametric cat bond, to mitigate losses arising from sustained cloud outage risk. What other cyber ILS transactions are in the pipeline?
Nothing I can say too much about, unfortunately, although the Hannover Re ILS specifically was always intended to be a pilot for a larger protection. But we see that many insurers and reinsurers particularly are interested in getting a better understanding of the accumulations of cloud risk that could be amassing in their portfolio. We’ve got the tools to measure that.
Of course, once an accumulation is uncovered, the prudent action is to transfer it away, or alleviate it in some other way. There’s appetite in the ILS market for the risk, and also in conventional reinsurance markets. ILS investors and conventional capacity are both attracted to the risk when the analytics are right, so I expect to see more coming.
But protection isn’t just for risk carriers. Large corporations that are heavily reliant on the digital supply chain, such as online retailers or airlines, can look at the cost of building redundancy into their digital supply, versus the cost of insurance, and will usually find that a mix of both is prudent.
What’s next for Parametrix?
This year we launched Parametrix Analytics, which utilises our accumulated knowledge of digital supply chain performance, our portfolio analysis tool, Infrasight, and other technologies we’ve developed, to help people understand cloud risk accumulation.
We found unexpected demand for our modelling service, which helps insurance companies understand the cyber risks that are accumulating in their portfolios, to structure coverages, and to assess reserves.
On the insurance side, we’ve got exciting things in the pipeline, including a new product coming up for small and medium-sized enterprises to protect them against cloud downtime.
We’re also looking at a reinsurance product with several of our backers, which would go hand-in-hand with our analytics service. We have some new broker partnerships, too, which allow us to bring our insurance products to companies almost anywhere in the world.
This article was published in the Q3 2024 issue of CIR Magazine.
View as PDF
Contact the editor
Printed Copy:
Would you also like to receive CIR Magazine in print?
Data Use:
We will also send you our free daily email newsletters and other relevant communications, which you can opt out of at any time. Thank you.
YOU MIGHT ALSO LIKE