On February 28, 2017 Amazon Web Services’ Simple Storage Service (S3) sustained an outage that began at approximately 9:40 am PST, and lasted more than four hours. The outage, which Amazon characterized as “high error rates,” affected a data center in Virginia that hosted data for thousands of websites. Companies that depend on S3 to keep their online presence and business activities up and running undoubtedly suffered disruption and financial losses. The cause of the outage hasn’t been reported yet.
Cyber insurance underwriters probably are having some anxious moments over this. Why would they be worried? An event like this can create multiple insured losses.
A company whose site is compromised may sustain business interruption losses. Those losses are insurable, though surprisingly few companies buy the coverage. A company that does purchase network business interruption coverage will be able to recover certain expenses incurred and the net profit lost during that part of the outage that takes place after the expiration of the waiting period specified in the policy. Very few policies have a waiting period short enough that any losses resulting from the S3 outage would be covered. The story would have been much different had the outage lasted longer.
Companies that use S3 may also face claims by their customers and clients that indirectly depend on S3 servers being operational. Those claims should be covered under a good cyber policy.
The S3 outage will concern cyber insurers even if it doesn’t produce significant insured losses. Insurers can profitably underwrite companies for losses that they alone sustain. It is far more difficult to be profitable if the insurer covers multiple companies for loss arising from a single event like this. A large and sophisticated service like Amazon S3 may be “designed to deliver 99.999999999% durability,” but the 0.000000001% event can be catastrophic. The aggregation of risk created by the increasing use of cloud computing providers is a difficult problem that cyber insurers spend a lot of time trying to understand and assess. It will be interesting to see whether this event affects the way cyber risks are underwritten in the future.