In a strategic collaboration, global reinsurer Swiss Re has joined forces with research partner Carnegie Endowment and major cloud providers to address and mitigate the risks associated with the concentration of cloud services.
This partnership has produced the paper “Cloud Reassurance: A Framework to Enhance Resilience in the Cloud,” focusing on actions to manage risks and bolster resilience in the ever-expanding cloud services market.
The re/insurance industry, recognising the vital role of cloud services in today’s digital landscape, has actively engaged in understanding the accumulation risk posed by the concentration of services with dominant providers like Google, Microsoft, and Amazon.
With the pandemic accelerating the adoption of cloud-based services due to the shift towards remote work and learning, companies worldwide have embraced the cloud as a key component of successful digital transformation.
The concentration of services with a few major providers, however, brings forth new risks, especially for re/insurers offering commercial cyber insurance products. If the cloud services experience disruptions, the accumulation risk falls squarely on the shoulders of these insurers, while the liability of the cloud providers remains limited.
Swiss Re’s involvement in an inquiry about cloud risks, alongside competitors, academics, and tech leaders, underscores the industry’s keen interest in understanding the implications of large events on their capital.
The resulting “Cloud Reassurance” paper emphasises a Cloud Resilience Framework, focusing on actions to anticipate, prepare for, reduce the impact of, and recover from hazards associated with cloud services.
Crucially, the framework highlights the need for transparency about peak risks, given the growing concentration risk in the cloud services market. Resilience measures for digital services, as outlined in the framework, involve both providers and users, addressing not only the resilience of the cloud itself but also the decisions and practices of customers in the cloud.
Acknowledging that attempts to eliminate all risks would be inefficient, stakeholders agree that resilience measures should not stifle innovation. Despite heavy investments by cloud service providers (CSPs) in security practices, residual risks remain, requiring transparent identification and resolution.
The proposed Cloud Resilience Framework establishes essential policy commitments and actions to enhance the resilience and trustworthiness of the cloud system.
It emphasises measures such as resilience testing and publicly demonstrating the effective resolution of identified shortfalls to increase transparency and build trust in cloud services.
From the re/insurance industry’s perspective, the Carnegie paper emphasises the limitations of information provided by cloud providers. Despite adherence to international standards and information sharing, there remains a limited understanding of how both CSPs and their customers would respond to major, unexpected events. This recognition is crucial for stakeholders to effectively assess and manage cloud risks.
The lack of extensive visibility into vulnerabilities of both CSPs and their customers poses challenges for third parties in managing risks related to cloud operations, despite their potential vulnerability to disruptions.
As the re/insurance industry faces altered risk profiles in the digital age, the joint effort with Carnegie marks a promising starting point for improving transparency and information sharing among key stakeholders.
With concentration risk in the cloud services market growing daily, transparency about peak risks becomes crucial for the re/insurance industry to meet the increasing demand for cyber insurance and contribute to closing the cyber protection gap.
