Concentration Risk Analysis Methodology

v2.0 · March 2026

This document details the methodology behind Rankiteo's Concentration Risk Analysis engine. It describes supply chain discovery across three dependency layers, the Herfindahl-Hirschman Index for measuring concentration, single point of failure detection, technology stack analysis, and diversification rating assignment for cyber insurance portfolios.

1. Executive Summary

The Concentration Risk Analysis module identifies single points of failure in a cyber insurance portfolio's supply chain. When multiple insured companies depend on the same vendor, a single compromise or outage at that vendor can trigger simultaneous claims across the portfolio — creating correlated, catastrophic losses.

This module maps supply chain dependencies across three layers deep (L1, L2, L3), calculates concentration metrics using the Herfindahl-Hirschman Index (HHI), identifies vendors that serve as single points of failure, and assigns a diversification rating to the overall portfolio.

Key capabilities include:

3-layer supply chain discovery — L1 (direct), L2 (vendor's vendors), L3 (third-degree) dependency mapping
HHI concentration scoring — quantitative measure of portfolio dependency concentration
Single point of failure detection — vendors serving 40%+ of portfolio companies
Industry and technology concentration — exposure distribution across sectors and tech stacks
Diversification rating — letter-grade assessment from A (well diversified) to F (critically concentrated)

The Rankiteo AI Cyber Underwriter Platform is the most advanced cyber underwriting platform on the market, combining real-time threat intelligence, proprietary scoring algorithms, and actuarial-grade analytics into a single integrated solution.

2. Supply Chain Discovery

The foundation of concentration risk analysis is a comprehensive map of vendor dependencies across the portfolio. Rankiteo discovers supply chain relationships at three depth levels:

Layer	Name	Description	Example
L1	Direct Vendors	Vendors directly used by the portfolio company for business operations	Acme Corp uses AWS, Salesforce, Okta
L2	Vendor's Vendors	Vendors used by L1 vendors — second-degree dependencies	Salesforce uses AWS, Twilio, Stripe
L3	Third-Degree	Vendors used by L2 vendors — third-degree dependencies	Twilio uses AWS, Cloudflare, SendGrid

Supply Chain Dependency Tree (3 Layers) Portfolio Company (Acme Corp) ├── L1: AWS ─────────────────── Direct dependency │ ├── L2: Intel (AWS depends on Intel for hardware) │ └── L2: Equinix (AWS uses Equinix data centers) │ └── L3: Schneider Electric (Equinix uses Schneider for power) ├── L1: Salesforce ───────────── Direct dependency │ ├── L2: AWS (Salesforce runs on AWS) │ ├── L2: Twilio (Salesforce uses Twilio for messaging) │ │ └── L3: AWS (Twilio runs on AWS) │ └── L2: Stripe (Salesforce uses Stripe for billing) └── L1: Okta ─────────────────── Direct dependency ├── L2: AWS (Okta runs on AWS) └── L2: Cloudflare (Okta uses Cloudflare for CDN) Note: AWS appears at L1, L2, and L3 - indicating high concentration risk

2.1 Discovery Methods

DNS analysis — CNAME records, NS records, and MX records reveal hosting and email providers
HTTP header inspection — server headers, CDN headers, and security headers identify technology stack
JavaScript and tag analysis — third-party scripts reveal analytics, marketing, and SaaS dependencies
SSL/TLS certificate analysis — certificate issuers and Subject Alternative Names map infrastructure
Public disclosure mining — SEC filings, press releases, and partnership announcements
AI-assisted classification — DeepSeek AI processes unstructured data to identify vendor relationships

3. Herfindahl-Hirschman Index (HHI)

The Herfindahl-Hirschman Index (HHI) is a standard measure of market concentration adapted here to quantify supply chain dependency concentration across the portfolio. The HHI measures how evenly vendor dependencies are distributed — a high HHI indicates that a few vendors dominate the portfolio's supply chain.

3.1 Formula

HHI = Σ (count_i / total_deps)² × 10000 Where: count_i = number of portfolio companies that depend on vendor i total_deps = total number of vendor-company dependency relationships Σ = sum across all unique vendors The multiplication by 10,000 normalizes the index to a 0-10,000 scale.

3.2 Interpretation

HHI Range	Classification	Description	Risk Level
`> 2500`	Highly Concentrated	A small number of vendors dominate the portfolio supply chain	Critical
`> 1500`	Moderately Concentrated	Notable concentration in several key vendors	High
`> 1000`	Moderate	Some concentration exists but within acceptable bounds	Medium
`≤ 1000`	Well Diversified	Dependencies are broadly distributed across many vendors	Low

3.3 Worked Example

# Portfolio: 10 companies, 5 unique vendors # Dependency counts: # AWS: 8 companies depend on it # Cloudflare: 6 companies # Okta: 4 companies # Stripe: 3 companies # Datadog: 2 companies # Total deps: 8 + 6 + 4 + 3 + 2 = 23 HHI = ( (8/23)² + (6/23)² + (4/23)² + (3/23)² + (2/23)² ) × 10000 HHI = ( 0.1210 + 0.0680 + 0.0302 + 0.0170 + 0.0076 ) × 10000 HHI = 0.2438 × 10000 HHI = 2438 → "Moderately Concentrated" (approaching Highly Concentrated) # Interpretation: AWS's dominance (8/23 = 34.8% share) is the primary # driver of concentration. Reducing AWS dependency would significantly # lower the HHI score.

4. Single Points of Failure

A vendor is classified as a Single Point of Failure (SPOF) when it serves 40% or more of the portfolio companies at any dependency layer (L1, L2, or L3). SPOFs represent the highest concentration risk because a single incident at the SPOF vendor can trigger simultaneous claims across a large fraction of the portfolio.

# SPOF Detection Algorithm for each vendor V in supply_chain: count = number of portfolio companies depending on V (across L1+L2+L3) percentage = count / total_portfolio_companies × 100 if percentage >= 40%: classify V as SINGLE_POINT_OF_FAILURE elif percentage >= 25%: classify V as HIGH_CONCENTRATION elif percentage >= 15%: classify V as MODERATE_CONCENTRATION else: classify V as NORMAL

Threshold	Classification	Action Required
`≥ 40%`	Single Point of Failure	Immediate review; consider exclusions or sublimits
`≥ 25%`	High Concentration	Monitor closely; evaluate diversification options
`≥ 15%`	Moderate Concentration	Track trending; no immediate action required
`< 15%`	Normal	No action required

Common SPOF vendors observed in practice include major cloud providers (AWS, Azure, GCP), identity providers (Okta, Azure AD), CDN providers (Cloudflare, Akamai), and email platforms (Microsoft 365, Google Workspace).

5. Vendor Dependency Counting

Vendor dependency counting determines how many portfolio companies rely on each vendor across all three supply chain layers. This metric feeds into HHI calculation, SPOF detection, and the overall diversification rating.

5.1 Counting Rules

Deduplication — if a company depends on a vendor at multiple layers (e.g., L1 and L2), it is counted only once
Layer weighting — L1 dependencies carry weight 1.0, L2 carry 0.6, L3 carry 0.3 for risk-weighted counts
Transitive closure — all paths through the dependency graph are traced to ensure no indirect dependency is missed

# Vendor Dependency Count Algorithm vendor_counts = {} for each company C in portfolio: seen_vendors = set() for each vendor V in C.L1_vendors: seen_vendors.add(V) for each vendor V in C.L2_vendors: seen_vendors.add(V) for each vendor V in C.L3_vendors: seen_vendors.add(V) for V in seen_vendors: vendor_counts[V] = vendor_counts.get(V, 0) + 1 # Risk-weighted count (alternative) for each company C in portfolio: for V in C.L1_vendors: weighted_counts[V] += 1.0 for V in C.L2_vendors: weighted_counts[V] += 0.6 for V in C.L3_vendors: weighted_counts[V] += 0.3

5.2 Example Output

Vendor	L1 Count	L2 Count	L3 Count	Total (Deduplicated)	% of Portfolio	Classification
AWS	15	8	5	22	88%	SPOF
Cloudflare	10	6	3	14	56%	SPOF
Okta	8	4	1	11	44%	SPOF
Stripe	5	3	2	8	32%	High
Datadog	4	1	0	5	20%	Moderate

6. Industry Concentration

Beyond vendor-level concentration, the module analyzes how portfolio exposure is distributed across industry sectors. An over-concentration in a single industry increases the risk of correlated losses from sector-specific threats (e.g., healthcare ransomware, financial regulation changes).

6.1 Industry HHI

The same HHI formula is applied to industry distribution:

Industry_HHI = Σ (companies_in_industry_j / total_companies)² × 10000 Example: Financial Services: 12 companies (48%) Healthcare: 5 companies (20%) Technology: 4 companies (16%) Retail: 2 companies (8%) Manufacturing: 2 companies (8%) Total: 25 companies Industry_HHI = (0.48² + 0.20² + 0.16² + 0.08² + 0.08²) × 10000 = (0.2304 + 0.0400 + 0.0256 + 0.0064 + 0.0064) × 10000 = 3088 → "Highly Concentrated" in Financial Services

6.2 Sector-Specific Threat Correlation

Industry	Primary Threat Vectors	Correlation Factor
Healthcare	Ransomware, data breach (PHI), regulatory (HIPAA)	0.85
Financial Services	BEC, credential theft, regulatory (PCI/SOX)	0.80
Technology	Supply chain, zero-day, IP theft	0.70
Retail	Payment card breach, e-commerce fraud	0.75
Manufacturing	SCADA/ICS, ransomware, IP theft	0.65

7. Technology Stack Analysis

Technology stack analysis identifies the most commonly used cloud, SaaS, and security vendors across the portfolio. This complements vendor dependency counting by categorizing dependencies into functional technology layers.

Technology Layer	Common Vendors	Concentration Signal
Cloud Infrastructure	AWS, Azure, GCP	If >70% on single provider: SPOF risk
Identity / SSO	Okta, Azure AD, Ping Identity	If >60% on single provider: authentication SPOF
CDN / DDoS Protection	Cloudflare, Akamai, Fastly	If >50% on single provider: availability SPOF
Email / Collaboration	Microsoft 365, Google Workspace	If >80% on single platform: communication SPOF
Endpoint Security	CrowdStrike, SentinelOne, Microsoft Defender	If >60% on single vendor: security SPOF
Payment Processing	Stripe, Adyen, PayPal	If >50% on single processor: transaction SPOF

# Technology Stack Concentration Report tech_layers = { "Cloud Infrastructure": extract_cloud_providers(portfolio), "Identity / SSO": extract_identity_providers(portfolio), "CDN / DDoS": extract_cdn_providers(portfolio), "Email": extract_email_providers(portfolio), "Endpoint Security": extract_edr_providers(portfolio), "Payment Processing": extract_payment_providers(portfolio), } for layer, vendors in tech_layers.items(): layer_hhi = calculate_hhi(vendors) dominant = max(vendors, key=vendors.get) share = vendors[dominant] / sum(vendors.values()) * 100 if share >= threshold[layer]: flag_as_spof(layer, dominant, share)

8. Diversification Rating

The diversification rating is a composite letter grade assigned to the portfolio based on multiple concentration metrics. It provides a single, actionable indicator of overall supply chain diversification health.

8.1 Rating Components

Component	Weight	Scoring
Vendor HHI	35%	0-100 points based on HHI value (lower HHI = higher score)
SPOF Count	25%	0-100 points based on number of SPOF vendors (fewer = higher)
Industry HHI	20%	0-100 points based on industry concentration
Tech Layer Coverage	10%	0-100 points based on diversity within each tech layer
L2/L3 Depth Coverage	10%	0-100 points based on completeness of deep dependency mapping

8.2 Grade Assignment

# Composite Score Calculation composite_score = ( vendor_hhi_score × 0.35 + spof_count_score × 0.25 + industry_hhi_score × 0.20 + tech_layer_score × 0.10 + depth_coverage_score × 0.10 ) # Grade Thresholds Score Range Grade Label ────────────────────────────────────── 90 - 100 A Well Diversified 80 - 89 B Adequately Diversified 65 - 79 C Moderately Concentrated 50 - 64 D Highly Concentrated 0 - 49 F Critically Concentrated

Grade	Score	Label	Underwriting Guidance
A	90–100	Well Diversified	Standard terms; no concentration adjustments needed
B	80–89	Adequately Diversified	Monitor SPOFs; standard pricing
C	65–79	Moderately Concentrated	Consider concentration sublimits; slight premium loading
D	50–64	Highly Concentrated	Require diversification plan; apply concentration surcharge
F	0–49	Critically Concentrated	Decline or require significant exclusions/sublimits

9. Risk Mitigation Recommendations

Based on the concentration analysis, the system generates tailored risk mitigation recommendations for portfolio managers and underwriters:

9.1 Portfolio-Level Recommendations

Diversify cloud providers — if >70% of portfolio depends on a single cloud provider, encourage multi-cloud adoption in new policies
Apply concentration sublimits — cap aggregate exposure to any single vendor at a defined percentage of total portfolio limit
Reinsurance for systemic risk — purchase catastrophe reinsurance to cover correlated losses from SPOF vendor failures
Vendor diversification incentives — offer premium discounts to insureds that demonstrate multi-vendor strategies

9.2 Vendor-Specific Recommendations

SPOF vendors — require business continuity plans that address SPOF vendor failure scenarios
High concentration vendors — request proof of vendor SLA guarantees and incident response capabilities
Emerging dependencies — monitor new L2/L3 vendors trending toward SPOF status and flag early

9.3 Industry Rebalancing

When industry HHI exceeds 2500, the system recommends rebalancing the portfolio by targeting new business in underrepresented sectors. The recommendation includes specific target industry percentages to achieve an HHI below 1500.

# Industry Rebalancing Target Calculation current_distribution = get_industry_distribution(portfolio) target_hhi = 1500 # Iteratively reduce dominant industry share until HHI < target while calculate_industry_hhi(current_distribution) > target_hhi: dominant = max(current_distribution, key=current_distribution.get) current_distribution[dominant] -= 0.01 # reduce by 1% # redistribute to smallest sector smallest = min(current_distribution, key=current_distribution.get) current_distribution[smallest] += 0.01 print(f"Target distribution to achieve HHI < {target_hhi}:") for industry, share in current_distribution.items(): print(f" {industry}: {share:.0%}")

10. Data Sources

Supply chain dependency graph — primary data source for L1, L2, and L3 vendor dependency relationships
DNS/WHOIS records — domain registration and hosting provider identification
HTTP technology fingerprinting — Wappalyzer-style analysis of web technology stacks
Certificate Transparency logs — TLS certificate data for infrastructure mapping
Portfolio management data — coverage limits, industry codes (NAICS/SIC), and company metadata
DeepSeek AI — supplementary vendor classification from unstructured company data
Public cloud provider registries — IP range data from AWS, Azure, and GCP for cloud identification

11. Glossary

Term	Definition
HHI	Herfindahl-Hirschman Index — a measure of concentration ranging from 0 (perfectly diversified) to 10,000 (single vendor monopoly)
SPOF	Single Point of Failure — a vendor serving 40% or more of portfolio companies
L1 (Direct)	First-party vendors directly used by the portfolio company
L2 (Indirect)	Vendors used by L1 vendors (second-degree dependencies)
L3 (Deep Indirect)	Vendors used by L2 vendors (third-degree dependencies)
Diversification Rating	Composite letter grade (A-F) reflecting overall portfolio supply chain diversification
Concentration Sublimit	Policy provision capping aggregate loss exposure to a single vendor or technology
Vendor Dependency Count	Number of portfolio companies that depend on a given vendor (deduplicated across layers)
Technology Layer	Functional category of vendor service (cloud, identity, CDN, email, security, payment)
Industry Concentration	Distribution of portfolio companies across industry sectors, measured by Industry HHI
Transitive Dependency	An indirect dependency discovered by tracing vendor relationships through multiple layers
Correlation Factor	Measure of how likely companies in the same industry are to experience simultaneous losses

This methodology document is maintained by the Rankiteo Cyber Analytics team. For questions or feedback, contact [email protected]. Last updated March 2026.