Not-quite-CAT: Exploring Aggregate Cyber Risk in SaaS Providers & VPNs

Much has been made about the opportunity for a “cyber catastrophe” or cyber CAT event. Modeling these potential events — for which we have yet to see a real-world example — has gotten quite a bit more sophisticated in the past few years, to the benefit of everyone operating in the insurance space. In these exercises, focus commonly lands on software-as-a-service (SaaS) vendors, including major players such as Microsoft 365, Salesforce, and ADP — technologies that are likely used by significant percentages of organizations in a cyber underwriter’s overall book of business. 

But as we continue our journey towards a more comprehensive approach to risk aggregation, we shouldn’t turn a blind eye to less-universal SaaS solutions. An attack on a SaaS provider that serves a particular industry might not meet the definition of a true cyber CAT, but it’s arguably a greater concern, given that these events are actually quite common.

Industry Concentration of SaaS Solutions

Household names like Google and Microsoft garner attention in discussions of aggregated cyber risk due to their broad market prevalence. However, their huge scale also means these vendors can make world-leading investments in cyber defense, and that their systems are highly distributed, meaning there are fewer truly high-leverage targets. In reality, the SaaS providers that have made headlines for falling victim to ransomware have been industry-specific solutions, such as PrismHR and Allscripts. 

In those real-life examples, ransomware-related outages led to business interruption for downstream customers. Think delayed payroll processing — or a halt to key IT functions for doctors’ offices, as we saw in the attack on Allscripts. Data exposure (where customer data is stolen and exposed in a breach) or supply-chain attacks (where malware infecting SaaS providers leads to secondary infections for customers) are other threats we consider when thinking about the aggregate risk of SaaS products. 

So how do we predict and account for these very real possibilities?

What the Data Tells Us

One way to frame the issue is to look at which industries have high concentrations of vendors. In one analysis, we looked at eight industries: auto dealers, financial firms, schools, municipal governments, membership groups, medical services, accounting and collections firms, and law firms. For each of these industries, we identified SaaS providers that are found only among its constituent companies — and not in any other industry. 

The standouts from our data: The largest number of unique SaaS solutions were found in schools, with a total of 26. With that many options in the market, there’s not a terribly high degree of concentration. No school-specific SaaS solution has more than 10% of organizations in that industry as its customers. On the other end of the spectrum, for the legal and accounting industries we located just five unique SaaS providers each. 

By looking at both the market share of the single largest provider in each industry as well as the combined market share of the top five vendors in each industry (“concentration ratio”), we saw considerable variety. The natural assumption might be that the industries with more options in the market would have less concentration, but that's not always the case.

If there are four different grocery stores in your neighborhood, they’d probably be less crowded than if you only had one — unless, of course, there’s a grocery store with a sale going on, or better produce options, or a really good hot bar selection. In fact, the latter scenario seems to be the case here. The number of options available isn’t a primary factor in the concentration: industries with more unique providers are also generally more likely to have high concentration, with one or few dominant players. 

Our hypothesis on this counterintuitive result? It likely depends on where the industry stands in their journey of digitization — and relatedly, the level of need for SaaS tools there is in the first place. Schools and municipalities, for example, are still in the middle stage of an innovation cycle, so there are lots of new SaaS entrants to meet the new market demand, while at the same time a few major players have established dominance. In fields like legal and accounting, there may simply not be a significant need for SaaS-based, industry-specific tools at all, which leads to low concentration despite the small number of options. 

These snapshots show the opportunity available if you look beyond the “hurricane” and dig into aggregations of risk that can manifest in different ways. If you only focused your aggregation analysis on the largest SaaS providers, you might miss industry specific segments where the risk of vendor-caused ransomware could have a significant impact.

Putting the Findings to Work: A Framework for Third-party Risk  

If we have an idea of areas where we foresee concentrations of risk, the question becomes how to make these actionable for either underwriting (risk selection) or risk mitigation purposes. We employ the data we collect from our in-house cyber scan to better understand smaller-scale systemic risk.

The Corvus Data Science team put together the following framework to measure the risk of both large and small-scale aggregation events: 

• Using data and security expert opinions, we determine which technologies in our book have an elevated level of correlated risk.

  • Technologies could include groups of SaaS vendors.

• Once we choose a technology with correlated risk, we determine the causes that can impact it.

  • There is a high chance no event occurs, but if it does, the most impactful are the least likely. 

For example, our Data Science team used this framework to measure the risk that different VPNs posed to different companies, and by extension, the risk to our book of business. Our model calculates the loss potential for each VPN, and helps us determine the cost required to cover those losses in a worst-case scenario.

By looking at technologies or characteristics that contribute disproportionately to the total loss potential, we can be more aware of where risk lies in our book composition. 

To further improve our framework, we are working to incorporate expert opinions and additional data to build the event space for technologies like VPNs and SaaS. At Corvus, we plan to dedicate more time in this space as understanding it is critical to achieving better security recommendations and pricing for our policyholders.

This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.