Risk concentration in the cloud: How to enhance Resilience

Swiss Re recently collaborated with research partner Carnegie Endowment and major cloud providers to address the challenges and risks associated with the concentration of cloud services. This collaboration resulted in the paper "Cloud Reassurance: A Framework to Enhance Resilience in the Cloud", which proposes actions to manage these risks and improve resilience, as well as risk visibility.

A decade ago, businesses were uncertain whether the expansion of cloud computing by tech giants like Google, Microsoft, and Amazon was just a passing trend or a lasting shift. The COVID-19 pandemic accelerated the adoption of cloud-based services as remote work and learning became the new norm. Today, companies worldwide have embraced the cloud in droves, recognising it as a vital component of successful digital transformation. And the growth of the cloud services market shows no signs of slowing down. In fact, Gartner predicts a staggering 20.4 percent increase this year alone, reaching a whopping USD 679 billion, with US hyperscale providers Microsoft Azure, Google Cloud Services, and Amazon Web Services controlling two-thirds of the market. 

The reliability and cost-effectiveness of centralised data storage and application services are key advantages compared to organisations operating their own infrastructure. This leads to improved resilience and cybersecurity, which may result in fewer losses for cyber insurers.

However, the concentration of services with three dominant providers has created new risks, which are relevant to the re/insurance industry. If the cloud services go down, the accumulation risk falls on the re/insurers offering commercial cyber insurance products. The cloud providers liability remains limited. 

It is only natural that the re/insurance industry has a vital interest in better understanding the accumulation risk of cloud services and implications of large events to their capital. So, when the Carnegie Endowment invited Swiss Re to participate in an inquiry about cloud risks with the three big cloud providers, our German competitor, academics, and tech leaders, we were eager to join.

This resulted in the paper "Cloud Reassurance: A Framework to Enhance Resilience in the Cloud ". It addresses the challenges and risks associated with the concentration of cloud services. It proposes actions to manage these risks, with a focus on resilience - the ability to anticipate, prepare for, reduce the impact of, and recover from hazards.  

Resilience measures for digital services should involve both providers and users. In the case of cloud services, these measures address not only the resilience of the cloud itself but also the resilience of the customers in the cloud. The later includes their decisions and practices in configuring their cloud connectivity and dependence.

There was an agreement among stakeholders that resilience measures should not stifle innovation, that cloud service providers (CSPs) have invested heavily in security practices and that attempts to eliminate all risks would be inefficient. However, residual risks remain and should be made transparent and addressed.

To tackle these residual risks, a Cloud Resilience Framework has been proposed. This framework establishes essential policy commitments and outlines actions to enhance the resilience and trustworthiness of the cloud system. Implementing measures such as resilience testing and publicly demonstrating the effective resolution of identified shortfalls are crucial for increasing transparency and building trust in cloud services.

From the perspective of our industry, it is important to note that the Carnegie paper emphasises – and stakeholder recognise - the limitations of the information provided by cloud providers. Even though cloud providers adhere to international standards and share information, this only offers a limited understanding of how they and their customers would respond to a major, unexpected event. It is crucial for stakeholders to recognise this limitation to effectively assess and manage cloud risks.

Consequently, this lack of extensive visibility into the vulnerabilities of both CSPs and their customers makes it difficult for third parties to manage risks related to cloud operations – but they could still be affected by a disruption.

The growing reliance on cloud services has altered the re/insurance risk profile to peak risks in the digital age. While the likelihood and magnitude of relatively small losses due to IT infrastructure outages may have decreased, the potential for the largest losses has increased due to aggregation and accumulation effects.  

Therefore, the joint effort with Carnegie represents a promising starting point for improving transparency and information sharing among key stakeholders. 

Knowing that concentration risk in the cloud services market is growing every day, transparency about peak risks is crucial for the re/insurance industry to meet the increasing demand for cyber insurance and help close the cyber protection gap.