Cloud outages can result from a multitude of causes: software bugs, power failures, misconfigurations, resource exhaustion, and data center cooling issues. Cloud providers learn from each incident, accruing knowledge that can assist them in preventing future outages.
But cloud customers must manage the consequences of being cut off from their cloud-based operations in the interim. The longer an outage lasts, the more damage is done. A 2019 report from reinsurance company Guy Carpenter and cyber risk analytics platform CyberCube identifies cloud outages as among the costliest single points of failure likely to impact business.
Can those losses be accurately quantified? What recourse do companies have in recovering them? Are cloud providers vulnerable to lawsuits following outages?
The Cost of a Cloud Outage
Estimates of the cost of a cloud outage vary -- all sorts of variables come into play, from the industry affected to the size of the business:
- Cloud performance optimization company GlobalDots calculates the cost of downtime as $5,600 per minute for the average business.
- Insurer Parametrix estimates that costs can reach up to $9,000 per minute.
- A 2018 Lloyd’s report indicates that losses during a large outage will be concentrated among smaller businesses, which are not as well insured. They would likely assume 63% of the loss burden.
Despite these harrowing statistics, a 2017 report from Veritas estimates that fewer than one-quarter of UK companies have estimated the losses they might sustain during a cloud outage.
Considering that unplanned downtime costs 35% more per minute than planned downtime, according to Forrester research, companies that have not assessed their vulnerabilities are at substantially greater risk.
Determining losses for a specific company during a specific outage is complicated. Companies relying heavily on the cloud will likely suffer more losses than companies with a mix of cloud and on-premises operations. An outage affecting a small segment of cloud-based operations is going to be less expensive than an outage that cripples the entirety of a company’s operations in the cloud. The longer an outage lasts, the more losses will accrue. If the outage is related to a data breach, cloud customers could also face fines -- and other regulatory consequences for failure to do due diligence are likely on the horizon.
Then there are soft costs, which are more difficult to assess. Word of an outage travels on swift wings in the age of social media. Companies can easily lose both existing and prospective customers when it becomes clear that they are unable to provide seamless service, even for a brief period.
How to Structure Cloud Provider Agreements
Cloud service providers themselves are unlikely to cover any of the costs incurred as the result of an outage.
Industry standard service level agreements are remarkably restrictive, with most companies assuming little if any liability. Service credits are the most customers can typically expect to receive from cloud providers following downtime.
While some cloud providers have begun to secure their own insurance policies -- Google Cloud now offers its own cyber insurance add-on -- this is far from the norm.
“It’s worth asking cloud providers what sort of insurance they have as well, or reaching some sort of indemnification agreement,” says Cindy Jordano, a partner with insurance recovery law firm Cohen Ziffer Frenchman & McKenna.
Even if the providers do have insurance, the terms of those policies are unlikely to cover more than a fraction of the costs incurred by the clients.
“Negotiate how much risk is being held by the company and how much risk is being retained by the cloud service provider,” advises Michael Phillips, chief claims officer of cyber insurance company Resilience. “It's an unfortunate fact of life right now that many of the major cloud service providers are willing to accept none of the risk of their own failure.”
The public cloud is a multi-tenant environment, further complicating the issue of responsibility.
“Many cloud providers currently do not offer meaningful SLAs, arguing the application must meet the demands of multiple customers,” says Lisa Rovinsky, partner at full-service law firm Culhane Meadows. “I think this power structure will be changing as customers become more sophisticated and hybrid cloud solutions develop.”
This puts the onus on clients to ensure that their cloud agreements are as airtight as possible from the get-go. Boilerplate contracts are unlikely to offer even cursory protection, so customization is increasingly the name of the game. Customized contracts will almost certainly be more expensive on the front end but may save some money in the event of a costly outage.
“The service levels that are available to the cloud tend to be very high: 99.9% plus. For each hundredth of a percentage point of increased availability, the costs increase dramatically,” cautions Elizabeth Ebert, CIO advisory partner at IT consulting practice Infosys Consulting.
Still, wiggle room is negligible for all but a rarefied few. “There're probably fewer than a half dozen users of the cloud -- Netflix comes to mind -- that have enough market power to negotiate,” observes Joseph Williams, partner of cybersecurity strategy at Infosys Consulting.
Negotiations should include accountability for previous outages—and what was done to correct them. “The customer should also ask the cloud provider about any previous security problems or service interruptions it has had,” advises Rovinsky.
Insurance Coverage
In terms of insurance losses, Lloyd’s estimates that one of the top three providers going offline for three to six days might cost upwards of $14.7 billion. An October 2020 study by Marsh McClennan suggests that:
- Data loss due to failures by a single operating service provider might result in insured losses of up to $23.8 billion
- Large-scale data loss from a cloud service provider could cost up to $22.2 billion in insured losses
- A long-lasting cloud outage would cost $14.3 billion
- A ransomware attack at a major cloud provider would cost $11.5 billion
As a result, explicit cyber policies are increasingly a necessity. But even these policies don’t necessarily include cloud outage coverage -- or do so on a limited basis.
“If you want a specialist cyber policy, it's no secret that the market is hardened,” Phillips observes. “And the price has gone up over the last few quarters. This reflects an increasingly complex and expensive loss environment. Enterprises that are trying to buy a robust cyber policy should anticipate a much more complicated underwriting experience than they had a few years ago, and potentially a more expensive policy.”
There are, however, ways to cut costs. Evidence of data integrity and redundancy of cloud systems are appealing to insurers. Keeping scrupulous data inventories makes it less likely that unknown leaks will occur in the event of a cloud breach. And having multiple backups on different cloud servers substantially decreases the chances that data will be unrecoverable.
Taking these steps, relates Phillips, is going to put you “far ahead of some of the other potential buyers of cyber insurance. You're going to be a very attractive buyer.”
Further, suggests Jordano, policyholders need to “make sure that the policy covers not only breaches of their own computer systems, but breaches of a third-party network.”
Consider the Causes of the Outage
It’s also worth considering the multiple sources of a potential cloud outage. Ransomware, and other cyberattacks, are usually covered by typical cyber policies. But not all cloud outages are related to cybersecurity.
“Downtime and cybersecurity are two different things,” Neta Rozy, co-founder and CTO of downtime insurance company Parametrix, clarifies. “Cybersecurity [coverage] is more for cyberattacks. Downtime is something that is inevitable. We all live in a digital world. Data centers aren’t perfect.” Therefore, cyber policies are unlikely to provide coverage for cloud downtime caused by a power outage or software bug.
Rozy co-founded Parametrix to fill a gap in the market. The company built a proprietary system that monitors cloud and cloud application availability across data centers that exist for the public cloud. The data gathered by this system allows the company to calculate cloud risk and underwrite its policies. The company’s IP also allows it to eliminate the claims process typical in the world of insurance.
“We identify downtime, and then our customers actually don't have to go through a claims process because we know exactly what cloud is down or cloud services are down at that given time and how much they [customers] are covered for,” Rozy explains.
Cloud risk is broad. Customers can face data loss from ransomware or another form of cyberattack, and they can experience the fallout related to an outage with no relation to cybersecurity. This could mean businesses need to purchase more than one type of policy to provide adequate protection for the fallout of a cloud outage
Companies may also have the option of working reinsurance companies as a part of managing cloud risk.
“The new development is that [insurance] companies can work with Google to directly extract the quality of your cloud configuration and then customize a policy based on your best price,” according to Williams.
“A thousand flowers are going to bloom” in this space, predicts Phillips. He thinks that a range of products, from niche cloud insurance all the way to more comprehensive cyber coverage is likely to emerge in the near future.
For CIOs and other decision makers, selecting insurance for cloud outage coverage is a matter of determining risk tolerance and finding a policy, or policies, with a price that adequately addresses the agreed upon business risk.
Still, it’s worth noting, as did a recent GAO report on cyber insurance: Some systemic failures may be essentially uninsurable. Companies should plan accordingly.
What to Read Next:
Outage and Recovery: What Comes Next After AWS Disruption
Cloud Outage Fallout: Should You Brace for Future Disruption?
How to Architect for Resiliency in a Cloud Outages Reality