At approximately 11am in the UK on June 8, Fastly, one of the world’s leading content delivery network (CDN) providers, experienced unplanned downtime, taking down large swaths of the global public Internet, including some of the world’s most popular websites.
Fastly outage is another wake-up call for cyber (re)insurers
Since the outage, Fastly has issued a statement claiming it has made a full recovery and most affected websites are now back online and running at near full functionality. Although the outage only lasted 49 minutes (according to Fastly) and is unlikely to trigger catastrophic losses, the event is yet another wake-up call to (re)insurers that large-scale cyber loss events that impact thousands of companies and millions of users at the same time are indeed possible. The incident also illustrates the increasingly complex, cumbersome, and highly-concentrated nature of the global public Internet.
Fastly’s outage further underscores the importance for (re)insurers to invest in solutions for modeling cyber attacks on Single Point of Failure (SPoF) technologies that can lead to catastrophic losses, and in solutions that allow them to map the specific SPoFs that their insureds rely on for critical workflows.
Image courtesy of downdetector.com, showing the impact of the Fastly outage on popular websites.
Long-lasting CDN provider outages are catastrophic cyber events
Outages at major CDN providers, like Fastly, that last several hours or more could lead to lost revenue for thousands of companies that depend on online revenue streams. While the Fastly outage lasted less than one hour, a malicious attack on a major CDN provider like Fastly, such as a ransomware attack on key data centers, may not be as easy or quick to fix. This should have (re)insurers asking themselves if they understand their exposure when it comes to modeling the financial impact of CDN provider outages with longer durations.
Portfolio Manager includes a wide range of possible cyber events across 29 catastrophic cyber scenario classes including long-lasting outages at leading CDN providers, including Fastly.
In the CyberCube CDN outage scenario, an organized cyber criminal group infiltrates the data centers of a major CDN provider, encrypting central data repositories, causing thousands of websites of customers around the globe to have reduced bandwidth for several hours.
Image courtesy of downdetector.com, showing the volume of Fastly outages reported over time.
As we discussed in a recent report, a SPoF is the targeted entity in a digital supply chain for a given attack scenario that has multiple dependent and interconnected entities. Note: the SPoF in a given attack scenario may or may not itself be present in a (re)insurers portfolio.
Fastly is one of several leading CDN providers that offer website and application hosting services enabling large enterprises to deliver online content to millions of users at the same time. CDNs operate cloud computing infrastructure in multiple locations around the world so that users can download content conveniently from servers closest to them rather than wait for a central server to provision content from far away. Servers that are far away can result in latency.
CyberCube’s SPoF Intelligence tool can help (re)insurers identify insureds that are reliant on CDN providers, including insureds that rely specifically on Fastly.
In the sample analysis above, 1,006 insureds are dependent on Fastly for CDN services.
Using SPoF Intelligence we can also map the global footprint for long-lasting attacks and outages. For example, the heat map below represents an industry vs. region breakdown of companies that we know to be using Fastly as their CDN provider. A darker shade of blue indicates the industry and regions more dependent on Fastly to deliver content. The heat map shows that the most impacted industries due to Fastly’s outage are: Arts & Entertainment, Education, Non-Profit, and Information Technology in North America.
Each square in the heat map above represents the ratio of all companies in the specific industry-region segment that use Fastly, vs. all companies in that segment.
Redundant CDN technologies can help limit business interruption losses
Large enterprises that rely on CDN providers to deliver revenue-generating websites and applications ought to have redundant content hosting technologies. Companies that have a redundant CDN provider can continue at least some level of online content operations in the event that one CDN provider goes down.
CyberCube’s underwriting solution, Account Manager, enables underwriters to identify the technologies that an insured is dependent on including the existence of multiple CDN providers. This data is also available in CyberCube’s SPoF Intelligence tool which allows users to see an insured’s CDN dependencies and potential redundancies across a portfolio of risks.
Companies impacted by the Fastly outage included online media giants such as the New York Times.
Note: Having multiple CDN providers does not necessarily mean perfect resilience. When one CDN provider is down, another one does not instantly start to serve content in its place. Most of the time, CDN providers will serve different types of content (e.g. images vs. videos) and/or serve content to different geographic regions.
Nevertheless, multiple CDNs mean that if two different CDN providers are addressing different regions, the company utilizing those providers will have greater resilience as content is still being delivered to at least one region, therefore limiting the scope of business interruption.
Account Manager also includes the cyber risk signal, Redundant Hosting Technologies, which enables underwriters to assess a company’s level of resilience in the face of attacks and outages impacting CDN providers, cloud providers, and domain name system (DNS) providers.
CDN dependent companies can sustain a range of network outage costs
Enterprises relying on CDN and other technology services can sustain a range of Network Outage costs. Contingent business interruption, data restoration, investigation and response costs, as well as potential third-party liability from second-order dependent companies may arise as a result of a network outage.
CyberCube’s Broking Manager features an event type distribution of loss, surfacing the loss potential a company may face for a range of Network Outage related incidents such as a CDN provider outage.
Broking Manager helps brokers and the insurance buyer understand and demonstrate different loss events and their associated insurance coverage agreements and costs.
The chart above depicts a variety of loss event amounts that a generic company may sustain should it experience a network outage event, including experiencing a CDN provider outage.
At the 99th percentile, the chart shows that 1% of network outage losses may be more severe than ~$27 million for this sample company. Should this company sustain a ~$27 million network outage loss, the relative breakdown of costs may come from ~$3.9 million in investigation and response costs, ~$5 million in digital asset or data restoration related costs, ~$13 million in contingent business interruption costs, and ~$4.7 million in associated legal liability costs.
Expect more SPoF cyber attacks and outages in 2021
Fastly is only the latest alarm bell to sound a warning to (re)insurers of the cyber risk inherent in SPoF technologies and companies. Following recent cyber attacks on SPoF including (but not limited to) SolarWinds, Microsoft Exchange, and Colonial Pipeline it should now be abundantly clear to (re)insurers that SPoF cyber attacks with the catastrophic scope are increasingly possible.
CyberCube expects to see a range of cyber threat actors including criminal ransomware operators and their affiliates, as well as nation-state sponsored actors targeting SPoF technologies and companies in 2021. All insurance industry stakeholders ought to remain vigilant and prepare themselves to adequately assess SPoF-related cyber security risks.