July 23, 2024 Blogs 4 min read

Weathering the cyber storm: KYND helps navigate vendor accumulation risk

By KYND

Weathering the cyber storm: KYND helps navigate vendor accumulation risk

Last week’s IT outage, caused by a routine CrowdStrike update, impacted millions of Microsoft devices and disrupted sectors like healthcare, media, and aviation, with an estimated global financial impact of $5 - $9 billion. This incident serves as a stark reminder of the importance of understanding and monitoring 3rd party accumulation risk and its potential impact on portfolios of organisations.


CrowdStrike has reported that the bug has been fixed, but that for many devices, it may take ‘some time’ to recover. Organisations, in general, should see this as a wake-up call to update and properly test their business continuity and disaster risk recovery plans. Too often, these plans exist in theory, but they have rarely or never been properly simulated. Even fewer will include a scenario where the entire organisation’s network was “bricked” and every device needed manual intervention to recover.

(Those with impacted devices should follow CrowdStrike’s advice.)

How this impacts insurers and financial services

If there is one immediate takeaway from the CrowdStrike incident, it’s that vendor accumulation risk now needs to be taken very seriously by insurers and portfolio managers. Organisations like CrowdStrike have become so embedded in everyday business functions that their failures reverberate across the entire global economic system, affecting tens of millions of companies worldwide.

Accumulation risk can arise from several scenarios, including a single vendor being used by a significant proportion of a portfolio of organisations, having vendors concentrated in one geographic location, or experiencing fourth-party concentration, where third-party vendors themselves depend on a single organisation.

It’s also crucial to realise that not all vendors are equally critical, and distinguishing between them based on their importance to business operations is essential. A vendor failure that has the potential to cripple the operations of its customers deserves special attention.

Given this context, here are three points to consider:

  1. Assess exposure to accumulation risks: Granular infrastructure risk accumulation data, such as KYND’s, helps you identify and understand the specific vendor and service provider risk exposure that exists within your portfolio of insureds or organisations within your investment portfolio.

  2. Review the criticality of the most prevalent vendors and service providers: Identify the critical vendors – meaning, those providing core functions to an organisation or having privileged access to an organisation's infrastructure or data.

  3. Conduct granular and tailored deterministic scenario analysis: Create bespoke scenarios to explore the ramifications of potential outages that take account of vendor or service provider criticality. For example, what would happen if a particular service or technology vendor went down, or if a specific service was disrupted on a specific cloud data centre? And what if those outages lasted for a range of time periods?


How have we been supporting our customers since the event

On the morning of Friday 19th, as soon as we became aware of the CrowdStrike incident, we began to analyse the level of exposure to the incident within our underwriter and financial services client portfolios. By the end of day on the 19th, this critical information had been shared with all of our underwriter and portfolio management clients. We’ll continue to support them as they explore the more complex implications of the event.


Advancing vendor accumulation risk management with the right data

Our insurer and financial services clients here at KYND are increasingly seeking support from us to better understand their portfolio exposure to various vendors and granular accumulation events, beyond the recent CrowdStrike incident. While such massive outages are rare, they are not unprecedented.

The global ripple effect from last week’s incident illustrates the extensive interconnectivity throughout the supply chain and the associated accumulation risk. To stay ahead of this, insurers and portfolio managers need reliable and accurate data to pinpoint concentration risk in their portfolio organisations' vendors, including cloud service providers, connected IT systems, and third-party relationships.

If you would like to learn more about how KYND’s industry-leading cyber risk analysis can help you understand your portfolio’s exposure to vendor-specific risks and support your future accumulation risk modelling needs, then get in touch with our experts today.

Share this article
Get in touch

Accreditation & Features