1 Here, the term “remediation” refers to actions taken beyond restoring service functionality. This could involve, for instance, providing to affected parties financial or in-kind compensation for damages, assurances that the incident has been fully addressed, and taking other actions aimed at remedying the harms caused by an incident and resuming regular operations.
2 Recognizing that the largest insurance payout for a single event, Hurricane Katrina, amounted to $41 billion, and that the cost of a massive outage to a hyperscale cloud provider could possibly be measured in the trillions, it is unlikely that the insurance industry could bear the economic costs of such an outage. See: Robert P. Hartwig and Claire Wilkinson, Hurricane Katrina: The Five Year Anniversary (New York, NY: Insurance Information Institute, July 2010), https://www.iii.org/sites/default/files/1007Katrina5Anniversary.pdf.
3 Here, the term “remediation” refers to actions taken beyond restoring service functionality. This could involve, for instance, providing to affected parties financial or in-kind compensation for damages, assurances that the incident has been fully addressed, and taking other actions aimed at remedying the harms caused by an incident and resuming regular operations.
4 With a 2020 report by Allianz Global Corporate & Specialty noting that cyber claims have grown steadily both in terms of their number and complexity, as threat vectors continuously evolve with the rise of ransomware and nation-state sponsored attacks, as well as “mega” data breaches and drivers of business interruptions. This trend has been exacerbated by the shift to remote work and digitization prompted by the COVID-19 pandemic. See: Allianz Global Corporate & Specialty, Managing the impact of increasing interconnectivity: Trends in cyber risk (Munich, Germany: Allianz SE, March 2021), https://www.agcs.allianz.com/news-and-insights/reports/cyber-risk-trends-2020.html.
5 For example, in the case of the US, Congress enacted into law the Terrorism Risk Insurance Act, which created a backstop for insurance providers against large-scale, catastrophic losses arising from terrorism-related attacks, outside of the scope of war. Prior to this, insurance companies often used the “war exclusion” in their policies to avoid covering the claims that may arise from terrorist-related acts. See: Jon Bateman, War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions (Washington, DC: Carnegie Endowment for International Peace, October 2020), https://carnegieendowment.org/2020/10/05/war-terrorism-and-catastrophe-in-cyber-insurance-understanding-and-reforming-exclusions-pub-82819 and Aaron Klein and Scott R. Anderson, “A federal backstop for insuring against cyberattacks?” Brookings Institution, September 27, 2019, https://www.brookings.edu/blog/techtank/2019/09/27/a-federal-backstop-for-insuring-against-cyberattacks/.
6 For example, enabling insurers to connect data to the underwriting process, streamlining applications, and facilitating the continuous monitoring of enterprise insurance customers’ security posture over time. See: Larry Dignan, “Google Cloud, Allianz, Munich Re team up on cyber insurance program,” ZDNet, March 2, 2021, https://www.zdnet.com/article/google-cloud-allianz-munich-re-team-up-on-cyber-insurance-program/.
7 With Accenture arguing that online service providers such as Google and Amazon may be better suited to respond the increasing “switching risk” by insurance customers, as technology providers are better positioned to develop more personalized services and innovate in pricing strategies (with 35 percent of respondents to their survey expressing that they would be comfortable with insurance providers accessing their behavioral information in exchange for reduced policy costs). See: Erik J. Sandquist, “Prospering in the switching economy,” Accenture, n.d., https://insuranceblog.accenture.com/prospering-in-the-switching-economy.