Measuring Business Interruption exposure of Ecommerce companies & CDNs

Introduction:

Last week I came across this news article , that a massive internet outage due to a technical glitch at Fastly (a Content Delivery Network company) caused a downtime of major global ecommerce, news and content streaming websites like Amazon, the New York Times, Quora, Reddit, PayPal, CNN, BBC.com, HBO and a few more. The internet outage was not due to a typical cyberattack as what is expected as the most probable risk exposure in today’s digital world. But the outage happened due to an internal technical glitch at Fastly – a service configuration that triggered disruptions across its POPs (points of presence) globally and disabled that configuration. Nonetheless, these ecommerce giants witnessed a business interruption unfortunately for close to an hour. But if we have a look into the list of companies that got impacted for that one hour of downtime and the global consumer or subscriber base that they hold, the average volume of traffic to the impacted servers during that one hour cannot be dismissed. There had been similar problems in the past when CDNs like Amazon Web Services, Verizon (2019) and Cloudfare (2020) were affected.

This disruption highlights the heavy lifting of internet infrastructure by the hands of a few companies known as CDNs. Outages with Content Delivery Networks highlight the growing ecosystem of complex and coupled components that are involved in delivering mission critical services by the ecommerce companies.

A few questions:

• How can we quantify the revenue loss when Netflix or HBO fail to stream content in a particular geography during a period when subscribers have been logged in?
• How can we quantify the revenue loss when Amazon goes down in a specific country and thousands of customers are in the middle of the buying process or on the verge of making a payment?

Insurance Needs of Ecommerce Businesses:

Before we try to understand what CDNs are and what role they play in the business of ecommerce companies, let us have a look at the possible insurance coverages that ecommerce companies should consider buying based upon their exposure to variety of risks in day-to-day business. Certainly, not everything about the risk aspect is completely different when it comes to comparing ecommerce and traditional brick and mortar companies. Unrestricted by geography and time, ecommerce companies have a global reach of customers base serving round the clock. It is the underlying technology infrastructure that makes the business model more fluid. But this increased reach increases the business’s liability as well.

Looking through a business architecture lens, both the models of business do have corporate offices with their own organizational hierarchy of management, stakeholders and employees. Based upon product or service offerings, both models have to maintain product manufacturing, distribution and warehouse facilities or service outlets. Both models will have their partner suppliers in the upstream side of the business ecosystem and target customers in the downstream for whom the product or services are offered. Additionally, for an ecommerce enterprise, its software and hardware infrastructure also constitute a significant amount of risk portfolio. So, with this enterprise ecosystem, the following insurance coverages will be broadly required by an ecommerce company -                      

1. General Liability Insurance                
2. Product Liability Insurance    
3. Liability due to Intellectual Property Infringement, invasion, or interference with rights of privacy  
4. Cyber Liability and Data Breach Insurance               
5. Technology Errors and Omissions Insurance                       
6. Employment Practices Liability Insurance                 
7. Commercial Crime Insurance            
8. Directors & Officers Insurance                      
9. Workers’ Compensation Insurance               
10. Cargo Insurance        
11. Business Interruption Insurance        

In the context of this POV, we will focus only on the aspect of Business Interruption Insurance needs of Ecommerce companies.

A Brief about Content Delivery Network

A Content Delivery Network (CDN) is a globally distributed network of web servers or Points of Presence (PoP) whose purpose is to provide faster content delivery. The content is replicated and stored throughout the CDN so the user can access the data that is stored at a location that is geographically closest to the user. This is different (and more efficient) than the traditional method of storing content on just one, central server.

CDNs are otherwise little-known Internet infrastructure companies that are very much important to the normal functioning of the web and even their isolated disruptions can bring huge parts of online life to a halt.

Why does online business need a CDN?

A client accesses a copy of the data near to the client, as opposed to all clients accessing the same central server, in order to avoid bottlenecks near that server. Placing servers closer to users allows to reduce the number of hops, latency and server response time. Thus, the content becomes locally available to end-clients and that improves their user experience and converts visitors into paying customers.

A content delivery network enables easy handling of a large number of users without the need to upgrade information technology infrastructure. A CDN can be set up without the need to re-architect the content provider’s infrastructure. It works well for all kinds of content—videos, images or static content. Furthermore, new-generation CDNs can be used to accelerate business applications as well. For more details on the purpose, you may read this.

Image source: gcorelabs.com        

With growing traffic of internet worldwide all popular content providers and web platforms with a large geographically distributed consumer base either build their own CDNs (which is expensive) or choose a third-party service (which is more profitable). Different businesses use CDN for different reasons.

Image source: globaldots.com/       

CDNs are among the several internet choke points that could have wide-ranging effects if something fails. Let us look into high level technology architecture of ecommerce companies. Here are the possible ways by which end users can be blocked from accessing the website.

Image source: The Washington Post

Failure at any of these points could be the result of malicious attacks. But it is equally or even more probable that the problems arise from accidents or technical issues. History says that such outages are bound to occur occasionally, but they would be rare and brief. Feedback of industry veterans say "In most cases, services are only affected for a short time, and data is easily retrievable. Far from being a cause of concern, it shows the resilience of the network that it can recover so quickly." Also, cloud providers build in redundancies for such events to give their users secure access to replicated copies of data. But as mentioned above the loss of revenue due to interruption or the need to penalize the liable party in the entire business ecosystem cannot be dismissed. So insurance needs to be there to cover the risk exposure.

Business Interruption Insurance for Content Provider and CDN:

A typical business interruption policy will cover payroll obligations, rent, losses in revenue, loan repayments, tax commitments, operating expenses and will even cover relocation, overtime, and staffing costs if there is an opportunity to move retail operation to a temporary location while regular location is out of order.

In the context of an e-commerce company, there are two types of business interruption insurance to consider. The first and most common type would be a traditional business interruption policy which is typically included within a standalone property policy or as part of a standalone business interruption policy. This coverage will provide income protection for a set period of time for cases where a business is forced to shut down or reduce its operations because of a covered event. The most common example would be a fire that destroys company’s office or warehouse.

The second type of policy is called electronic business interruption insurance and would likely be packaged into a cyber liability insurance policy. This coverage would respond, for example, when a company’s computer systems are hacked or compromised preventing the organization from selling its goods or services online. In this case, there is often a waiting period of between 1 and 10 days before the policy will kick in to begin indemnifying for any lost income until the compromised computer systems are restored. The big difference between this policy and the first one we described is that there is no time limit on how long the insurance will reimburse for lost income.

But other than a cyber-attack the second type of policy will also come into play in case of a technical failure. Due to technical failure or website crash if customer facing website is down for an extended period of time a business interruption policy will help cover many expenses that come with maintaining the business and keeping it afloat while there is no inflow of revenues. Business interruption caused will be covered by the Business Interruption policy or the underlying Business Interruption coverage of Commercial Property policy of the ecommerce company. But the real challenge will be how to calculate the revenue loss of an online seller. How is the daily payout decided in case of such interruption? Ideally this should be based upon average sales per unit hour or per 24 hours for a particular geography.

The business interruption formula can be summarized as follows.

BI = T x Q x V

where:

BI = business interruption

and:

T = the number of time units (hours, days) operations are shut down

Q = the quantity of goods normally produced, or sold, per unit of time used in T

V = the value of each unit of production, usually expressed in profit

For calculating business interruption due to website failure specific to a geography, the value of Q needs to be an average estimate of sales per unit of time for that specific geography.

• Failure on the CDN side - Business interruption caused due to failure at their end can be covered by a Liability Insurance which the CDN needs to purchase in order to cover such contingencies when they become liable for the revenue loss of the content provider or the ecommerce company. There can be compensation claims made by the ecommerce company. Liability for loss of service will probably be covered by the service level agreement with ecommerce companies of paid-for cloud services but the agreements will typically not cover all losses sustained. The loss amount will be defined as per the service level agreement between the content provider and the CDN.
• Failure on the ISP side - At the most basic level, the companies that control the physical pipes and wires of the Internet, like Verizon or AT&T, are also vital. Business interruption caused due to internet outages at their end can be covered by a Liability Insurance which should be purchased by the ISP to cover such contingencies when they become liable for the revenue loss of the ecommerce company. Since ISPs cater to vast range of ecommerce globally, the liability in case of failure can be humongous. Because a damage to the deep-sea cables can bring out global disruption of internet services and CDN, ecommerce will be badly hit.

Conclusion:

Content delivery networks are particularly difficult to replicate because their business model requires having physical data centers spread across several countries. Fastly itself has more than 50. Larger cloud companies like Google or Amazon, which store the bulk of the Internet, have fewer, but larger data warehouses. Even Amazon has used Fastly to speed up the rate at which its pages load.

But content delivery networks are not the only point where glitches or hacks could cause widespread meltdowns. Website-hosting companies like GoDaddy, Squarespace and Shopify also are major choke points. Cloud giants like Amazon, Google and Microsoft rarely go down, but when they do, the effect is wide-ranging.

The pandemic era has shifted the world of doing business more towards the web. With the ever-growing scale of ecommerce, the expectation is to have a robust scalability of infrastructure from CDNs as well as the Content Providers. But having a Business Interruption insurance coverage which is finely knitted to the business needs will always be a wise decision.