‘What If’ Cloud Disaster Scenarios: Risks and Damages
Like over-reliance on a single food source (potatoes, Ireland, 1845) or a single energy source (OPEC oil, United States and other industrialized countries, 1973), the rapidly growing global adoption of public cloud services platforms carries with it risk – risk with the potential to cause a least temporary operational havoc for cloud users, their customers and cloud service providers, along with substantial financial losses.
Looked at closely, as Lloyd’s of London has done in a study released today ("Cloud Down - Impacts on the US Economy"), the prospect of public cloud service provider failure and the financial impact on 12.4 million businesses in the U.S. compels our interest with the similar morbid fascination of a disaster movie. According to Lloyd’s and catastrophe modeling software developer AIR Worldwide, with which Lloyd’s partnered on the study, a cyber-incident that takes a top-three cloud provider offline in the U.S. for three to six days would result in ground-up losses (that’s insurance industry jargon for “total loss”) of between $5.3 and $19 billion, and between $1.1 and $3.5 billion in insured losses. A cyber incident of the same duration that takes a cloud provider offline that has between the 10th and 15th highest market share in the U.S. would result in between $300 million to $1.5 billion and between $40 million and $300 million in industry insured losses.
These numbers don’t include the damage to cloud providers’ reputations that could result in companies reverting to more of an on-premises IT operations strategy.
“This reliance on a relatively small number of companies has resulted in systemic risk for businesses using their services,” the study stated. “In the event of sustained downtime of a top cloud service provider, simultaneous damage for all its clients and dependents could lead to catastrophic financial losses.”
Not surprisingly, of the 12.4 million American companies potentially impacted by a cloud outage, particularly hard hit would be Fortune 1000 companies, according to Lloyd’s, which would carry 38 percent of the total losses and 46 percent of the insured losses.
“Smaller companies might be more likely to use the cloud in order to avoid building the business infrastructure in-house,” stated the study’s authors, “but the insurance take-up is low compared to the Fortune1000 companies. In the event of sustained downtime of a top cloud service provider, simultaneous damage for all its clients and dependents could lead to catastrophic financial losses.”
Due to their heavy reliance on cloud services, industries that would sustain the biggest losses, the study concluded, are manufacturing, resulting in $4.2-$8.5 billion of direct losses, followed by $1.4-$3.5 billion for the wholesale and retail trade industry.
The impact of this potential vulnerability will only grow as U.S. companies increase their adoption of cloud computing. The study cites 2016 research from McKinsey & Company showing that, as of 2015, 77 percent of global companies used traditionally built (i.e., on-premises) IT infrastructure as the primary environment for at least one workload; this is forecast to drop to 43 percent as of this year. While only about 25 percent of companies in 2015 used public infrastructure as a service as the primary environment for at least one workload, that percentage is expected to rise to 37 percent this year, according to McKinsey.
Lloyd’s said the report’s results are based failures among on the top 15 cloud providers in the US, which account for a 70 percent market share. To be sure, the report examines the impacts and aftermaths of disruptions to a cloud service provider in the US, “leaving all their clients with no access to the information technology services their businesses rely on.” While there are multiple ways a cloud service provider could be taken down (e.g. DDoS attack plus malware plus theft; or environmental, accidental or structural), the study is agnostic regarding causes of downtime.