Beyond Hurricanes: The 4th Party Side of Cyber Aggregate Risk

On August 24, 1992, Hurricane Andrew devastated South Florida and Louisiana, leaving a trail of destruction in its path. The estimated payout from insurance claims totaled $15.5 billion ($26.4 billion in 2015 dollars). Due to the overwhelming number of claims filed, 11 insurance companies went bankrupt and some reports show that if the path of the storm had directly crossed Miami, the entire insurance industry could have collapsed. As a result of the massive tragedy, the insurance industry restructured their approach to risk modeling and began to focus on aggregate risk.

Adapting to New Risks

To ensure their success, insurance companies began to monitor whether a common set of threats affected a large portion of their portfolio of businesses. This type of aggregate risk modeling has helped insurance groups to anticipate the amount of capital they need to cover their insureds’ claims in case there is a major disruption. The extreme impact of natural disasters has become clear as it relates to property insurance, but another threat has come to the forefront of many risk modeling discussions: data breaches. According to the Identity Theft Resource Center (ITRC), there were 781 data breaches in 2015, which represents the second-highest number of breaches since the organization began tracking breaches ten years ago. As breaches become more common, should insurance companies focus on addressing these increasingly disruptive cyber threats? To answer this question, consider the Target breach from 2013 that led to CEO Gregg Steinhafel stepping down from his role, the company losing more than $162 million, and numerous class action lawsuits. The effects of the breach could have been more disastrous for Target, but the company received the full $90 million in coverage it had for the breach. In another example of the increasing importance of cyber policies, consider Home Depot, which experienced a data breach in 2014 and had a reported $105 million in cyber insurance to cover breaches. As more companies file claims after cyber attacks, the financial burden could become excessive for insurance groups, especially if a single breach impacts multiple organizations in the same portfolio.

Identifying Common Threats

Aggregate risk management enables insurance companies to withstand the impact of a single data breach or an outage on their portfolio of businesses. However, the challenge is understanding which businesses in a portfolio are most susceptible to these threats. Are insurance groups analyzing whether companies across different industries depend on a specific group of service providers, especially those which experience an outage or a breach? This fourth party (subcontractor) dependency could increase as organizations adopt a cloud strategy or migrate to digital systems. For example, the Cloud Security Alliance (CSA) has found that 61 percent of financial institutions are developing a cloud strategy. With this evolution in mind, companies should use a systematic, objective, and accurate way of identifying fourth party (subcontractor) dependencies across their portfolio. Without visibility into this level of risk, an insurance company could be jeopardized if there is any type of large disruption affecting its insureds.

What’s Next?

As organizations in the business portfolio and their business associates use the same set of service providers, single points of failure are a legitimate cause of concern. Consider that on October 15, 2015, UltraDNS experienced a technical issue that led to a widely publicized outage, which brought down websites for Netflix, Expedia, and many others for over an hour. Outages like these demonstrate the ripple effect felt across multiple industries as a result of a fourth party disruption. Insurance companies can stay ahead of this threat by continuously monitoring their portfolio of businesses and identifying their connections to service providers. Data from our upcoming BitSight Insights will shed light on the connections that exist between various organizations to help identify the value of fourth party risk management and aggregate risk modeling.