Cyber Risk Accumulation in Underwriting: Single Vendor Dependencies, Cloud Concentration, and Portfolio Controls

Accumulation risk in traditional lines of insurance is dominated by physical proximity and correlated natural perils. A fire spreads through an industrial estate. A cyclone damages properties along a coastline. A flood affects a river basin. Underwriters have centuries of loss experience to quantify these accumulations and reasonable confidence that an event in Chennai will not directly cause a loss in Chandigarh. The portfolio management tools (geographic concentration limits, probable maximum loss analysis, catastrophe reinsurance) are mature.

Cyber insurance breaks this pattern. A single incident can simultaneously trigger losses across policyholders in entirely unrelated industries, geographies, and business profiles. The shared exposure is not physical location but technology dependency. When AWS ap-south-1 experienced a major disruption in the incident of June 2024, losses occurred simultaneously for Indian e-commerce companies in Bengaluru, fintech firms in Mumbai, logistics operators in Delhi, and SaaS providers headquartered in Hyderabad. The total industry exposure was not bounded by geography or industry sector. It was bounded by the set of policyholders whose operations depended on that specific cloud region.

The CrowdStrike incident of July 2024 illustrated a different accumulation vector. A single software update from a cybersecurity vendor affected an estimated 8.5 million Windows devices worldwide. In India, the incident disrupted airline check-ins, hospital systems, banking operations, and broadcast services. Policyholders across every industry sector experienced business interruption simultaneously, not because they were attacked but because they all relied on a common endpoint protection tool. The insurance industry's post-event analysis suggested that a fully insured CrowdStrike-class event could produce global insured losses in the range of USD 5 to 10 billion, with the Indian share estimated at USD 150 to 300 million across a market that wrote approximately INR 700 crore in cyber premium for FY2024-25.

These incidents have moved cyber accumulation from an academic discussion to a concrete underwriting constraint for every Indian cyber insurer. The market is growing rapidly, with gross written cyber premium expected to cross INR 1,500 crore by FY2025-26, but the accumulation risk is scaling faster than the premium. Without explicit portfolio controls and reinsurance support, individual insurers can accumulate net exposures that would threaten their solvency in a single systemic event.

A practical cyber accumulation framework identifies specific systemic risks, each with its own exposure signature and control requirements.

Hyperscaler cloud outages are the most prominent category. AWS ap-south-1 (Mumbai) and ap-south-2 (Hyderabad), Azure Central India and South India, and Google Cloud Platform asia-south1 (Mumbai) and asia-south2 (Delhi) collectively host an estimated 60 to 70% of Indian enterprise workloads. A regional outage affecting any of these providers produces simultaneous losses for every dependent policyholder. The exposure signature is concentrated: relatively few cloud providers, clear geographic mapping to availability zones, and documentable dependency through customer technology stack disclosures. Aggregation tools can quantify this exposure directly if the insurer collects vendor and region information during underwriting.

Mass software incidents, of which CrowdStrike is the archetype, affect any device running a specific software version. The exposure signature is different from cloud outages because the affected population is not bounded by geography. Any policyholder using the affected software is exposed regardless of where they operate. The underwriting challenge is that policyholders often do not know which endpoint protection, EDR, or management software they run; the information is held by IT and may not surface during the underwriting application.

MSP (managed service provider) attacks use a service provider as an entry point to propagate ransomware or other attacks across multiple end customers. The 2021 Kaseya incident is the canonical example, where attackers exploited the Kaseya VSA platform to deploy ransomware across approximately 1,500 downstream customers simultaneously. Indian exposure to this vector includes customers of large IT service providers, regional MSPs, and specialised managed security service providers. Indian insurers increasingly require MSP disclosure during underwriting to measure this accumulation.

DNS and CDN failures affect a specific slice of internet infrastructure. A Cloudflare, Akamai, or Fastly outage can render dependent websites and applications unavailable simultaneously. The 2021 Fastly outage brought down major Indian news sites, e-commerce platforms, and government services for approximately an hour. Loss severity per affected policyholder is usually lower than a cloud outage (typically minutes to hours of downtime versus hours to days) but the affected population can be very broad.

SaaS platform incidents affect users of specific business applications. Microsoft 365, Salesforce, Workday, and SAP SuccessFactors each have Indian customer bases large enough that a multi-hour outage produces measurable aggregated losses. The underwriting signal for SaaS dependency is stronger than for endpoint software because SaaS platforms are typically procured at the business level and visible to financial and operational leadership.

Regional ISP outages affect geographic clusters of policyholders, bringing cyber accumulation back into partial alignment with traditional geographic accumulation. Jio, Airtel, BSNL, and VI disruptions affect the subset of policyholders relying on those specific providers for primary or backup connectivity. The accumulation is partially mitigated by redundant connectivity, but many SMEs and mid-market enterprises operate with single-provider connectivity as a cost decision.

Translating systemic risks into portfolio metrics requires the insurer to measure exposure along several dimensions simultaneously.

Single-vendor concentration measures the aggregate exposure to any individual technology provider. For each material vendor (cloud providers, EDR vendors, DNS and CDN providers, major SaaS providers, MSPs), the insurer calculates the total sum insured and expected maximum loss across all policyholders dependent on that vendor. Concentration limits are then set as a percentage of the portfolio's gross written premium, net retention, or reinsurance-adjusted exposure. Indian insurers with mature cyber portfolios typically set per-vendor concentration limits at 25 to 40% of the line's net retention for the top three cloud providers and 10 to 20% for other named vendors.

Technology stack overlap measures the aggregate exposure to combinations of vendors. A policyholder using AWS ap-south-1 plus CrowdStrike plus Microsoft 365 has a different accumulation profile than one using Azure Central India plus SentinelOne plus Google Workspace. Event scenarios that affect specific combinations require stack-level aggregation rather than single-vendor aggregation. The data requirements are significant because a 10-vendor grid produces 100 pairwise combinations and 1,000 triplet combinations, each of which may or may not correspond to a plausible event.

Geographic clustering measures exposure concentrated in specific physical regions or specific cloud availability zones. While cyber accumulation is primarily non-geographic, certain events (regional ISP outages, physical damage to data centres, localised cyber attacks on municipal infrastructure) do have geographic correlation. Indian insurers typically track exposure by cloud region (ap-south-1, ap-south-2, Central India, South India), by Indian metro cluster (Mumbai, Delhi NCR, Bengaluru, Hyderabad, Chennai, Pune), and by backbone connectivity corridor.

Temporal accumulation measures how exposure changes over a policy period. A cyber portfolio written entirely in the first half of the year has different accumulation timing than one written evenly across the year. For multi-policy events, the timing matters because some events produce rolling claim activity over weeks or months rather than a single-moment trigger. Insurers track both instantaneous and rolling accumulation to manage liquidity as well as solvency.

Net exposure versus gross exposure is the final distinction. Gross exposure includes all written business; net exposure reflects reinsurance structure. For systemic events, reinsurance recoveries can be slow (complex event attribution, contested coverage), and some reinsurance structures exclude specific systemic perils. Indian insurers distinguish between gross accumulation (used for underwriting authority decisions) and net accumulation (used for solvency and capital planning), recognising that the two can diverge materially for systemic cyber events.

Quantifying cyber accumulation requires exposure modelling tools that go beyond traditional actuarial approaches. The market has produced a handful of specialised platforms, each with different methodologies and coverage.

CyberCube, a San Francisco-based specialist founded in 2018, offers the most widely adopted cyber accumulation platform. Its Portfolio Manager product ingests insurer portfolio data and produces exposure metrics for major systemic scenarios including cloud outages, mass ransomware events, and critical software failures. CyberCube maintains a scenario library covering the most prominent threats and publishes periodic threat intelligence updates. Indian deployments are growing, with at least three Indian insurers using CyberCube as part of their cyber underwriting infrastructure by mid-2025.

Guidewire Cyence is the cyber analytics product within Guidewire, a dominant policy administration platform vendor. Cyence provides scenario modelling for systemic cyber events and integrates with the broader Guidewire platform used by several large insurers globally. Its India footprint is smaller than CyberCube's but growing through Guidewire's overall Indian market presence.

Aon Cyber Quantified is developed by the Aon broker group and focuses on quantifying cyber risk for both insureds and insurers. It is used more on the brokerage side for placement support than as a primary underwriting tool but provides a reference quantification for complex placements.

Sompo SRE (Sompo International's specialist cyber risk evaluation tool) and Munich Re's internal cyber accumulation tools are used for their own portfolios and are influential for treaty discussions with Indian cedants. Reinsurer models often set the benchmark for what accumulation metrics Indian insurers must report to secure treaty capacity.

Kovrr, an Israeli-founded firm with operations in Europe and North America, provides cyber risk quantification with a focus on scenario-based modelling and ongoing threat intelligence. Kovrr is used at several insurers for scenario testing of systemic events.

The data requirements across these tools are converging. Each platform requires portfolio-level data including policyholder industry, revenue band, geographic location, IT technology stack (cloud providers, EDR vendors, SaaS platforms, MSPs), security posture indicators, and coverage details (limits, retentions, sublimits, exclusions). The quality of the output depends on the completeness and accuracy of the input data, which places pressure on the underwriting application process to collect this information reliably.

Portfolio accumulation is managed through a combination of underwriting controls applied at the individual policy level and portfolio-level aggregation management.

Mandatory vendor disclosure in the cyber insurance application is now standard practice at every material Indian cyber insurer. Applications ask for the primary cloud provider and region, the EDR and endpoint protection tools, the primary DNS and CDN services, the major SaaS platforms, the MSP or managed security service provider relationships, and the backup and disaster recovery architecture. Applications that are materially incomplete are either deferred or priced with a loading to reflect the information uncertainty. Some insurers have moved to structured application formats with drop-down selections of named vendors to ensure data consistency across the portfolio.

Systemic event exclusions are a second control. Many cyber policies now include specific exclusions for widespread cyber events affecting multiple insureds, broad outages of critical infrastructure, or acts of war including state-sponsored cyber operations. The Lloyd's market's 2023 revision of war exclusion language (LMA5564, LMA5565, LMA5566, LMA5567) has influenced Indian policy wordings, with many Indian insurers adopting similar state-sponsored and catastrophic event exclusions. These exclusions transfer specific systemic risks out of the coverage scope and therefore out of the insurer's accumulation.

Scenario-based retentions and sub-limits are a more specific control. Rather than excluding systemic events entirely, some policies provide reduced sub-limits for specific scenarios (for example, INR 50 lakh sub-limit for losses arising from cloud service provider outages, within an overall INR 5 crore policy limit) and heightened retentions (for example, 24-hour time deductible for business interruption from third-party service provider outages versus 8-hour for other causes). This preserves meaningful coverage while capping per-policy exposure for the systemic trigger.

Portfolio-level controls include underwriting authority matrices keyed to single-vendor concentration. If the insurer's aggregate exposure to AWS ap-south-1 exceeds a threshold, new AWS-dependent risks in that region require higher authority levels or mandatory reinsurance facultative cession. Some insurers have implemented real-time concentration dashboards that underwriters consult during quotation. The dashboards display current vendor concentration relative to authority limits and flag quotes that would push concentration above tolerance.

The practical challenge is data quality. Vendor disclosure information is only as reliable as the applicant's knowledge of their own technology stack, which is often incomplete at the business level. Insurers invest in verification through third-party security rating services (SecurityScorecard, BitSight, Prevalent) and through penetration testing partnerships, but the information gap remains material for SME policyholders who represent the fastest-growing segment of the Indian cyber market.

Reinsurance is the primary mechanism for Indian cyber insurers to manage net accumulation beyond what underwriting controls alone can achieve. The reinsurance market for cyber has tightened materially since 2020 as global reinsurers reassess systemic event exposures, and Indian insurers face tougher placement conditions than they did even two years ago.

GIC Re, the Indian national reinsurer, holds a first right of refusal under IRDAI Re-insurance Regulations 2018 for obligatory cession, which for cyber lines currently stands at 4% of reinsurance ceded premium. Beyond the obligatory cession, Indian insurers place reinsurance with GIC Re on treaty terms, typically for a portion of their proportional or non-proportional programmes. GIC Re's cyber appetite has grown since 2022 as it has built internal capability, and by FY2025-26 the national reinsurer is an active participant in most Indian cyber placements.

Munich Re India, Swiss Re India, SCOR India, and Hannover Re India operate as branches of their global parents and provide the majority of treaty capacity for Indian cyber. Each has its own view on systemic risk, its own scenario models, and its own accumulation limits. Placement conversations in 2025 and 2026 have focused heavily on the cedant's disclosure of accumulation metrics, the insurer's portfolio composition by vendor and industry, and the policy wording's treatment of systemic events. Reinsurers expect to see evidence that the cedant is actively managing accumulation, not simply passing the risk through.

The IRDAI Re-insurance Regulations 2018 and subsequent circulars cap cross-border reinsurance placement through home-state branches of foreign reinsurers, Indian cross-border reinsurers, and IFSC-based reinsurers. For cyber, which is a capacity-constrained class, insurers may need to use multiple capacity sources to complete placement. The order of preference established by IRDAI directs cedants to offer risk first to GIC Re, then to home-state branches and IFSC-based reinsurers, before placing with other cross-border reinsurers.

Structural choices in the reinsurance programme affect accumulation management. Proportional treaties (surplus or quota share) cede a percentage of each policy and therefore scale accumulation protection with portfolio growth. Non-proportional treaties (excess of loss) protect against large individual losses and can be structured to respond to aggregate event losses through aggregate excess of loss or systemic event covers. A growing number of Indian cyber programmes include dedicated systemic event covers that respond specifically to named systemic triggers (cloud outages, mass ransomware, critical software incidents) with their own limits and retentions. These covers are more expensive than general excess of loss but provide targeted protection for the accumulations that individual risk excess of loss structures do not address efficiently.

Pricing for accumulation-heavy cyber books reflects this structure. Indian cyber gross rate on line for primary policies has firmed from a soft-market low of 0.8 to 1.5% of sum insured in 2020 to a firmer 2.5 to 5% in 2025 and 2026 depending on industry and technology stack. Reinsurance cost has increased proportionally, with systemic event covers priced at 15 to 25% rate on line for treaty years 2025 and 2026. The net effect is that Indian cyber insurers retain less premium per unit of risk than they did five years ago but have stronger protection against systemic events.

IRDAI's oversight of cyber accumulation has moved from general risk management expectations to specific cyber-focused guidance over the past three years. The regulator's 2023 circular on cyber insurance product design (Ref: IRDAI/NL/CIR/GEN/072/2023) introduced minimum product standards and required insurers to submit detailed filings for cyber products. The 2024 Information Security Guidelines imposed detailed cyber hygiene requirements on insurers' own operations, and the 2025 supervisory communications have explicitly addressed cyber portfolio management.

The emerging IRDAI expectations on cyber accumulation include documented accumulation measurement methodology, quarterly portfolio reporting to the regulator showing vendor concentration and systemic scenario stress tests, board-level review of cyber accumulation relative to capital, and clear distinction between gross and net accumulation with consideration of reinsurance counterparty risk.

The Appointed Actuary and the Chief Risk Officer of each Indian cyber insurer now typically include cyber accumulation in their quarterly risk committee reports. The IRDAI has not set explicit concentration limits but has indicated that material single-vendor or single-scenario exposures must be disclosed and justified. Insurers that have pushed their gross exposure significantly ahead of their reinsurance-supported net retention have been engaged by IRDAI in supervisory dialogue about growth pacing.

The capital implications are being integrated into the Indian solvency framework. The current IRDAI solvency regime does not include an explicit cyber catastrophe charge, but the move toward a risk-based capital framework (tentatively planned for 2027-2028 implementation) is expected to include systemic cyber scenarios in the catastrophe component of required capital. Insurers with larger cyber books are already modelling how these charges might affect their capital position and adjusting their writing pace and reinsurance cession strategy accordingly.

For underwriters, risk managers, and brokers working in the Indian cyber market, the practical implication is that cyber accumulation is no longer a specialist concern handled only by the chief actuary. It is an integrated underwriting constraint that shapes quote-level decisions, a portfolio management discipline reported to the board, and a regulatory dialogue that influences capital and growth strategy. The Indian cyber insurance market's growth trajectory, with gross written premium expected to reach INR 2,500 to 3,500 crore by FY2027-28, depends on the industry's collective ability to measure, control, and transfer the systemic risks that define this line.