Crowdstrike and the insurance implications
The global cybersecurity firm CrowdStrike released a sensor configuration update for Falcon, their flagship product, on Friday 19 July to all global client users of Windows Microsoft systems. Falcon effectively provides antivirus protection to detect malware and suspicious activity. The automatic update resulted in a system crash and a Blue Screen of Death (BSOD) display caused by a logic error from the file being formatted incorrectly triggering a major IT outage. This impacted companies globally, across a variety of industries and sectors who were unable to access key systems and disrupted real-time monitoring functions and reduced threat detection to platforms and systems.
The sensor configuration was remediated just over an hour after the initial update, but customers who were online during that time could be impacted and susceptible to a system crash if they were using the Falcon software update for Microsoft. Around five hours later, CrowdStrike issued a corrective patch allowing normal operations to resume. Owing to the network connectivity issues, the fix required manual remediation and physical access to bring the impacted parties back online.
Direct Impacts: It is estimated that around 8.5m Windows device users were affected, according to Microsoft, most of which were enterprises who rely on CrowdStrike software for their cybersecurity cover including healthcare providers, the air travel industry, government agencies and financial organisations. CrowdStrike are market leaders, with a market share of 24% of the Endpoint Security market. It is anticipated that this event will mostly affect larger clients who have a more substantial investment in cyber security tools, compared with smaller companies. The downtime put companies who rely on CrowdStrike in a more susceptible and vulnerable position to potential threats and attacks. However, there have been no confirmed cases of this during the time of the outage.
Insurance Implications: The event is reported as being “non-malicious” meaning that systems failure coverage, where insured, within cyber (re)insurance policies is the loss trigger. At this early stage, there is uncertainty surrounding the overall loss, however it is expected that the event will be manageable for the cyber market.
Industries such as hospitals and airlines were more affected as they require 24/7 availability with a greater impact owing to time zones in the APAC (Asia Pacific) and EMEA (Europe, Middle East and Africa) regions. Around 3,000 flights were cancelled and 23,900 flights delayed. The biggest impact to insurers will arise from business interruption losses, including loss of income and extra expenses incurred, however this is subject to applicable waiting periods which vary per policy.
Fitch Ratings comments that several mechanisms will limit insured losses, including lack of insurance coverage, high deductibles, sub-limits and time element periods for business interruption claims which range from eight hours to 12 hours.
Catastrophe modeller, CyberCube’s preliminary insured loss estimate is between $400m and $1.5bn, representing a 3% to 10% loss ratio impact on global cyber premiums of $15bn today. Beazley uses CyberCube’s Portfolio Manager cyber analytics tool. However, cyber insurer, Coalition, is estimating insured losses to be in a range of $270m to $960m, with the potential to be at the lower end.
The economic impact of CrowdStrike is estimated by service provider, Parametrix at $5.4bn. Prior to CrowdStrike, the most important loss event to the cyber market was NotPetya in 2017 with estimated insured losses of above $3bn and economic losses of $10bn, according to PCS. Most impacted companies are insured for amounts which are far lower than their actual financial losses. The largest economic losses from cyber events, most of which are uninsured are shown below. To date even cyber economic losses have been lower than insured losses from natural catastrophes such as Hurricane Ian - losses were more than $60bn according to Swiss Re Sigma.
Beazley, the leading Lloyd’s cyber insurer via three Lloyd’s syndicates 623/2623, 5623 and 6107, released a statement after the event indicating a limited impact and commenting that “based on what is known at this point, the event will not change the current undiscounted combined ratio guidance of low 80s for the full year”. They will provide further detail on the event in their 2024 H1 report in August.
Cyber Market Implications: The event will force cyber insurers to re-evaluate their portfolios and cyber underwriting processes. Coalition highlights that technological diversification across organizations limits the possibility for systemic loss and expects the cyber market to address the concern about large systemic losses through changing and, in some cases, restricting or excluding coverage.
Cyber insurers are expected to review aggregation risk through the risks associated with supply chain dependencies on cyber security vendors such as CrowdStrike. Some insurers already include loss sub-limits for catastrophic or widespread events, in addition to exclusions for specific cyber losses on a larger scale.
From a cyber reinsurance perspective more time is needed for a full assessment of how cyber reinsurance treaties will react, though we understand many newer excess of loss protections exclude non-malicious acts leaving insured losses retained by insurers.
Global cyber rates have been softening since Quarter 3 2023 with Marsh reporting 6% rate reductions in Quarter 2 2024. We expect a heightened focus on wordings but as a manageable loss event only a slowdown in rate softening rather than a shift to rate increases.
By Jordana Teeboon, Research Analyst, and John Francis, Head of Research