On July, cybersecurity firm CrowdStrike released a software update for its Falcon Sensor product, designed to detect malicious threats at computer system endpoints. The update caused widespread crashes in computers running Microsoft Windows.
US companies suffer $5.4 bn cyber loss from CrowdStrike outage.
Only Microsoft users experienced this issue, with no reports of other operating systems being affected. The system failure impacted various industries, including airlines, banks, retailers, and hospitality.
This event highlights a single point of failure in the global IT supply chain. Cyber insurers should assess policyholder supply chain dependencies, potential aggregation risks across common technologies, and adjust risk tolerances accordingly.
Cyber insurance policies cover only 10% to 20% of these losses. The average loss per Fortune 500 company is $44 mn, ranging from $6 mn (manufacturing) to $143 mn (airlines).
According to Guy Carpenter, cyber insurance provides for broad coverage of business interruption resulting from network outage. The trigger for this coverage includes System Failure resulting from non-malicious acts, including human error.
Cyber coverage extends to Contingent Business Interruption (CBI) caused by an outage of a vendor on which an insured relies to operate its network.
Critical for evaluating network interruption claims will be the policy waiting period for which the network must be impaired before the policy responds. Typical cyber waiting periods vary depending on industry class and organizational size with 4–12 hours being most common.
Contingent business interruption losses arising from a widely deployed technology present reinsurers with an acute risk for unexpected aggregation. Technologies with large market shares create potential single points of failure that can lead to systemic events yielding claims from a large number of insureds.
System failure losses will now be included in traditional proportional and aggregate structures, covering all loss causes.
Recently, buying behavior has shifted toward targeted catastrophe covers, focusing on specific catastrophic scenarios. Event-based products and their definitions are tailored to each cedent’s risk perspective and negotiated coverage.
Recoveries from these products will vary based on the distinction between malicious and non-malicious cyber incidents in the policy wording.
As the incident unfolds, Guy Carpenter will clarify its impacts on tail risk assumptions and the overall $15.5 bn global cyber industry moving forward.
Given the magnitude and scope of this outage, we may see consequences that affect product lines beyond cyber risk, most prominently directors & officers (D&O) and property/casualty (P&C).
- D&O. We may see implications on the D&O towers for companies both involved in or impacted by today’s incident. In general, a 10% intraday stock drop for a publicly traded company may incentivize the plaintiffs’ bar to file a class action lawsuit. Subsequent share price moves and any ultimate recovery may also impact the likelihood of litigation. Historically, securities class actions arising from technology incidents have fared poorly.
- P&C. With the continued integration of information technology and operational technology, insures must also consider the physical consequences that may arise from technology failures. Potential exposure for P&C policies will depend on how insurers address cyber as a peril and whether the policy includes a “silent cyber” exclusion.
Policies remaining silent on cyber risk may be exposed to ensuing bodily injury or property damage as a result of cyber-related system failure.
The CrowdStrike outage in July 2024 caused one of the largest information technology disruptions in history. A flawed software update from CrowdStrike led to crashes of approximately 8.5 mn computers running Microsoft Windows.
This incident affected industries and government operations worldwide, with economic losses estimated in the billions of dollars.