Insured losses from CrowdStrike outages in the standalone cyber insurance market may reach $1.5 bn, according to CyberCube.
CyberCube estimated insured losses could be as low as $400 mn. The July 19 outages might be the largest insured loss event in the affirmative cyber insurance industry over the past 20 years.
The issue started with a faulty CrowdStrike Falcon Sensor update, causing widespread outages.
The $400 mn to $1.5 bn loss range would impact global cyber premiums of $15 bn by about 3-10%.
The event corresponds to a 1-in-2-year to 1-in-6-year industry loss return period, based on CyberCube’s catastrophe model and industry exposure database. The model shows potential scenarios with loss ratios up to 234% in extreme cases and 1-in-200-year return periods.
CyberCube’s estimates are provisional and based on the best available information. The event is still unfolding, and many systems are yet to be restored.
Each insurer’s claims depend on specific portfolio characteristics, including coverage for non-malicious system failure, contingent business interruption, and the makeup of insureds.
The U.S. cyber insurance market growth slowed in 2023, with direct premiums written growing just 0.1% amid a pricing drop-off. Larger, sophisticated insureds have seen higher penetration, while smaller businesses represent the best growth opportunities.
The CrowdOut event is significant for the cyber insurance market but doesn’t match the destructive potential that carriers are prepared for.
CyberCube activated its Cyber Aggregation Event Response Service due to the outages. CAERS provides up-to-date intelligence on major cyber catastrophes to ensure relevant information for the insurance market.
This is well within the capabilities of the insurance markets. Some parts may take longer to settle due to the nature of claims and legal systems
Brittany Baker, VP of solution consulting at CyberCube
According to Guy Carpenter, cyber insurers for broad coverage of business interruption resulting from network outage. The trigger for this coverage includes System Failure resulting from non-malicious acts, including human error.
Cyber coverage extends to Contingent Business Interruption (CBI) caused by an outage of a vendor on which an insured relies to operate its network.
Critical for evaluating network interruption claims will be the policy waiting period for which the network must be impaired before the policy responds. Typical cyber waiting periods vary depending on industry class and organizational size with 4–12 hours being most common.
An earlier estimate suggested the widespread CrowdStrike outages could cost Fortune 500 companies $5.4 bn, with 10-20% covered by cyber insurance policies, according to Parametrix. The insured loss could range from $540 mn to $1.1 bn.
Parametrix excluded Microsoft from its estimate of total damages. The outages started with a flawed update to CrowdStrike’s cybersecurity software, creating a logic problem that crashed computers globally.
Global software issue contained in an update released by cybersecurity company CrowdStrike caused computers to crash in the early hours of July 19, with a cascading impact that was felt throughout the global economy.
An estimated 8.5 mn Windows devices have been affected, broker Aon said in its own analysis of the situation.