Every threshold alert pays out on a proxy, not the damage — and a $61.3B market already priced the difference.
It’s 3:14 a.m. and your phone is screaming. CPU on api-prod-7 has been over 80% for five minutes. You thumb the screen awake, squint, and check the dashboard. Latency is flat. Error rate is flat. Checkout is sailing through. Nobody — not one human being on Earth — is having a worse night because of api-prod-7. You silence the page, mutter something unkind about whoever wrote the threshold, and go back to bed.
You just paid a claim on a proxy.
Here’s the thing nobody told you: the people who trade a sixty-one-billion-dollar market in catastrophe risk face the exact same decision you just made, have faced it for decades, and have a precise, boring, actuarial vocabulary for the pain you have no name for. The 3 a.m. page that fires on nothing has a name. So does its evil twin — the outage that rakes your users for twenty minutes while every threshold you own stays stubbornly green. The insurance industry didn’t just name these. In 2025 it put real money behind the answer.
A catastrophe bond is a bet on disaster. An insurer or a government hands cash to investors; if a named catastrophe strikes, the investors forfeit some or all of it to cover the losses, and if it doesn’t, they keep their coupons. The whole machine hinges on one question: how do you decide the catastrophe actually happened? There are two honest answers.
A parametric trigger pays when a physical proxy crosses a line. Wind speed above 130 mph at a named weather station. Earthquake magnitude above 7.0. Rainfall above 200 mm in twenty-four hours. The NAIC’s definition is admirably blunt: a parametric policy pays “based on the magnitude of the event, as opposed to the magnitude of the losses in a traditional indemnity policy.” It is fast — settlement runs from twenty-four hours to thirty days, per the Climate Policy Initiative — because nobody has to send an adjuster to count broken windows. A sensor tripped; the money moves.
An indemnity trigger pays on verified actual loss. The adjusters go out, the claims are totaled, and the bond pays what was really lost. It is slow — months, sometimes years — and expensive to administer. But it pays for the damage, not for a number that stands in for the damage.
The gap between those two is the whole story, and it has a name too: basis risk. Basis risk runs in both directions. Positive basis risk is when the proxy trips but nothing was really lost — the bond pays out on a windfall. Negative basis risk is the cruel one: real devastation, but the proxy came in just under the line, so the bond pays nothing. A hurricane can flatten a coastline while the eyewall passes twenty miles east of the reference gauge, and a wind-speed-triggered bond will, with perfect contractual innocence, pay zero.
If you want to know which trigger people trust when their own money is at stake, watch where the money goes. It is going, hard, toward indemnity.
In 2025, indemnity triggers reached 76% of catastrophe-bond issuance — the highest share on record, beating the 73% set in 2024 (Artemis, Catastrophe Bond Market Records That Were Broken in 2025). That was a banner year for the asset class generally: $25.6 billion issued across 144A and private deals, pushing the outstanding market to $61.3 billion, up 24% year over year. Pure-parametric structures, by contrast, have stayed a niche — roughly 7% of natural-catastrophe bond volume in early 2024.
Sit with that. The single largest, most sophisticated market on Earth for the parametric-versus-indemnity decision looked at the tradeoff — speed and simplicity on one side, accuracy on the other — and three-quarters of it chose to pay more, wait longer, and settle on the real loss. Investors accepted slower, costlier settlement specifically to shed basis risk. When the number on the check is real, people stop trusting the proxy.
But notice it isn’t a binary. The other quarter of the market isn’t all parametric. Sitting between pure-proxy and pure-truth is a whole spectrum: industry-loss warranties, which pay against an industry-wide loss index published by PCS or Swiss Re — a proxy, but a broader and truer one than a single wind gauge — plus modeled-loss triggers that run the event through a catastrophe model. The market didn’t pick one of two options. It priced a gradient, from cheap-fast-proxy to expensive-slow-truth, and distributed itself along it.
Hold onto that gradient. You have one too.
“CPU > 80%” is “wind speed > 130 mph.” “Error rate > 1%” is “magnitude > 7.0.” “Disk > 90%,” “p99 latency > 500 ms” — every one of them fires on a physical proxy for the thing you actually care about, which is a human being somewhere having a bad time because of your software. Not one of them measures that human being. They measure a stand-in and hope the stand-in is correlated with the harm.
Sometimes it is. Often it isn’t:
The 3 a.m. CPU page you silenced was positive basis risk: the proxy tripped, nothing was lost. The outage that ran for twenty minutes while every dashboard stayed green — the one you found out about from Twitter — was negative basis risk: real loss, proxy silent, eyewall twenty miles east of the gauge. You already live inside basis risk. You have for your whole career. You just never had the word, and because you never had the word, you never measured it.
Here is the difference between the discipline that moves sixty-one billion dollars and the discipline that pages you at 3 a.m.: the actuaries compute their basis risk. It’s a percentage. They model it, price it, and put it in the prospectus, because the entire engineering problem of parametric insurance is how far the trigger sits from the real loss. The closer the proxy gets to actual damage, the more it resembles indemnity; the farther it drifts, the larger the basis risk. That distance is the thing they get paid to measure.
Almost no engineering team measures it. Ask yourself a question you can actually answer from data you already have: what percentage of your pages last quarter fired with no measurable user impact? Join your alerting log to your incident record and your SLO history. The query isn’t hard. The answer is usually somewhere between sobering and obscene — teams routinely discover that the large majority of their pages corresponded to nothing a user would ever have felt. That’s your positive basis risk, and it’s not free: it’s paid in analyst hours, in alert fatigue, in the slow erosion of trust that turns every page into a “probably nothing” — right up until the one that isn’t slips by. Then run it the other direction: how many real SLO breaches happened with no page at all? That’s your negative basis risk, and it’s the one that ends up in the postmortem.
You don’t have to guess at either number. They exist. Measure the gap instead of pretending the proxy is the harm.
The good news is that SRE quietly invented its own indemnity trigger without realizing it had reinvented insurance. It’s the SLO burn-rate alert.
Google’s SRE Workbook describes multi-window, multi-burn-rate alerting: you watch the rate at which your error budget is being consumed, across a fast short window and a slower long window, and you fire only when both agree (the short window calibrated to one-twelfth of the long one). This is not a proxy. It measures the actual rate at which your real, user-facing reliability promise is being broken. It is an indemnity signal: it pays out on the damage, not on a number that stands in for the damage.
And — exactly like its insurance cousin — it is slower and more expensive than a threshold. It needs an observation window before it’ll commit. It has to aggregate multiple service-level indicators instead of reading one gauge. You buy near-zero basis risk with latency and compute. That is the identical tradeoff the cat-bond market priced, arrived at from the opposite direction, with none of the shared vocabulary.
So when do you use which? The reinsurance market already worked out the allocation, and it ports cleanly.
Use parametric triggers for speed-critical reflex. Auto-scaling, circuit breakers, load shedding, rate limits — anything that has to act now, before a human is even awake. Here speed dominates precision, because the costs are lopsided: a false positive (scaling up capacity you didn’t strictly need) is cheap, while a false negative (the service dying while you wait for a slow signal to be sure) is fatal. This is exactly why a developing nation buys parametric quake cover: it needs liquidity within days, not a correct loss adjustment within months. The World Bank puts the value of an immediate payout at roughly 3.5× the same dollars delivered late, because cascade damage compounds with time — and that speed premium isn’t insurance-specific, it’s a property of harm propagation in any complex system. Your circuit breaker is, quite literally, a parametric trigger: it trips on a failure count within a window without ever assessing the downstream damage. A 2025 systematic review of microservice recovery patterns (arXiv:2512.16959) found that pairing a circuit breaker with bounded retries gave the best resilience — a P99 of 1100 ms at a 3% error rate. Fast and imperfect, doing exactly the job fast-and-imperfect is for.
Settle the expensive decision on an indemnity signal. Paging a human at 3 a.m., declaring an incident, halting the deploy train, spending down the error budget — these are costly, in money and in trust. Costly decisions should fire on actual user impact, which means burn rate, not CPU. Paging a human on a proxy is the same category error as a government booking its fast parametric payout as the final settlement of a catastrophe: fine as the first liquidity injection, wrong as the accounting of what was really lost.
The mistake — the one nearly every team makes — is using parametric triggers for decisions. Waking a human on “CPU > 80%” is crossing the streams. You’re spending your most expensive resource, human attention and trust, on your cheapest, noisiest signal.
Here’s the part that should make the hair on your neck stand up. Insurance didn’t choose parametric or indemnity. After roughly fifteen years of trying — and failing — to engineer a perfect trigger with better sensors, higher-resolution weather data, and finer models, the industry’s settled consensus is that the perfect trigger is impossible, because the map can never equal the territory. So they stopped optimizing the trigger and started layering: a fast parametric layer for the preliminary payout that gets cash moving in days, plus a slow indemnity layer that catches whatever the proxy under- or over-paid. The two layers aren’t redundant copies — they cover different shapes of harm and use different verification regimes. They’re complementary.
Now look at the mature SRE architecture and tell me it isn’t the same building:
Same three floors. The insurance industry has occupied this building for years, and SRE built an identical one next door without ever reading the blueprints. Neither domain credits the other, which is a small tragedy — because the insurance side is a decade ahead on the one lesson that matters most: stop trying to perfect the trigger. You will never build the SLI that perfectly captures user pain, just as no weather station will ever perfectly capture a hurricane’s damage. The diminishing returns on better proxies are real. The breakthrough isn’t a better threshold; it’s accepting a fast, imperfect proxy and pairing it with a slow, true signal.
You don’t need a platform migration to act on this. You need three moves.
Measure your basis risk — both directions. Join last quarter’s alert log to your incident and SLO records and compute two percentages: pages that fired with no user impact (positive basis risk), and SLO breaches that fired no page (negative basis risk). Put both numbers on a wall. You can’t argue down a premium you refuse to read.
Re-label every alert as reflex or decision. A reflex alert is allowed to be a fast, noisy proxy — but it must act, automatically, and it is never, ever allowed to wake a human. A decision alert is allowed to wake a human — but it must fire on an indemnity signal, on actual burn against your user-facing promise. Anything currently paging a person on a raw threshold is miscategorized. Fix it.
Stop optimizing the trigger; start layering the response. The next time someone pitches a heroic quarter to build the perfect SLI, remember that an industry with sixty-one billion dollars riding on the question tried that for fifteen years and gave up. Build two honest layers instead of one impossible one.
The catastrophe-bond market gave this tradeoff a vocabulary, a price, and — in 2025 — a three-quarters-majority verdict: when the loss is real, measure the loss, not the proxy. You’ve been paying the basis-risk premium on your alerting for years; the invoice just never arrived, because nobody itemized it. Now you can. And the next time your phone screams at 3:14 a.m. over a CPU number that hurt no one, you’ll know exactly which line item that is — and exactly what the actuaries would charge you for it.
Stop trusting the proxy. Settle decisions on a signal you can verify.
This essay’s whole argument is that the expensive decisions should fire on the real thing, not a stand-in for it. The same logic applies the moment an AI agent claims it did something: don’t page a human (or a customer) on the agent’s own self-report — that’s a proxy. Chain of Consciousness gives every agent action an indemnity signal: each step anchored to a verifiable external record, so you settle on what the agent can prove it did, not on what it says. An audit trail that doesn’t share the failure modes of the thing it’s measuring.
See a verified provenance chain · Hosted Chain of Consciousness
pip install chain-of-consciousness · npm install chain-of-consciousness