At the core of cloud risk accumulation monitoring by Parametrix are “risk aggregation points.” These denote single cloud regions or groups of regions which are used and relied upon by multiple companies in a portfolio, in this case, the Fortune 500. When a specific cloud region experiences an outage, all the companies that rely on that region are exposed to the possibility of financial loss. 

‍

Loss experience and its severity for individual companies depend on fortune, timing, disaster recovery plans, and multi-region provision redundancy. When a group of cloud regions experiences an outage, even companies that have implemented cloud provision redundancy may be exposed to financial loss. Measuring exposure to key aggregation points is the prism through which accumulation to cloud exposure can and should be measured.

‍

‍

Parametrix identified 15 key aggregation points with the most accumulation for our analysis of the Fortune 500. All points were evaluated under three different cloud outage scenarios of 24, 36, and 48 hours’ duration respectively. The majority of the key aggregation points are US-based, but several European aggregations are included because of the international nature of some Fortune 500 companies. Because GCP is used predominantly by small and medium-sized entities, none of its regions are featured among the 15 aggregation points.

‍

‍

A selected sample of key aggregation points shows the large variation between results among loss scenarios, which range from $200 million to $20.2 billion. It illustrates the difference between straightforward aggregation of exposure by the number of region users within the Fortune 500, and the modeled financial loss for specific scenarios. 

‍

‍

To determine the latter, Parametrix considered the sensitivity of each company’s profit to cloud outage, the pace at which loss would be incurred, and factors such as annual revenue. Some sector-based variables are also considered, including the nature of the sector’s cloud use and the extent of its cloud reliance.

‍

‍

This comprehensive analysis of risk aggregation also incorporates “nested exposure” for aggregation points which combine multiple cloud regions. This accounts for the impacts accruing to companies with cloud-region usage that matches the aggregation point, and further considers sub-aggregation points which are subsets of (nested in) the aggregation point within the aggregation point. This approach allows for better assessment of accumulations when all cloud regions in the aggregation point experience a simultaneous outage.

‍

‍

_______

‍

Next time: Cloud Outage and the Fortune 500: Loss Scenarios

‍

Parametrix’s analysis on the Fortune 500 provides a snapshot of cloud usage, and insights into navigating the landscape of cyber systemic risk. This post is the fourth in a series about identifying dependencies, monitoring performance, and managing accumulation. You can read more about it in the Parametrix report revealing the Fortune 500’s exposure to cloud downtime among the three major providers - Amazon Web Services, Google Cloud, and Microsoft Azure.