Insured losses from the CrowdStrike incident could exceed $1 bn in the cyber insurance market, though the total may be reduced to half since it wasn’t a cyberattack, according to Guy Carpenter report.
Guy Carpenter estimated that the July 19 event, triggered by a security software update, could result in insured losses ranging from $300 mn to $1 bn.
The total losses will be lower due to the accidental nature of the global outages. System failures lack many of the costs associated with malicious attacks, such as forensic experts, breach counsel, data restoration, and extortion expenses.
CyberCube estimated that insured losses from the CrowdStrike event could reach $1.5 bn. CyberCube projected a lower-end loss of $400 mn, noting that this could be the largest single insured loss event in the history of the affirmative cyber insurance industry over the past two decades.
Cyber insurers are evaluating the event’s implications but continue to offer clients consistent coverage.
Guy Carpenter’s report suggests that this event won’t lead to significant losses for most insurers, although this could change based on policy language, the concentration of underwriting in affected industries, and the adoption of System Failure coverage.
Insurers are preparing for a surge in claims notifications from clients affected by the technology outages. These notifications will likely focus on business interruption and dependent business interruption claims, according to Acrisure.
The global issue, originating from a cybersecurity update by CrowdStrike, caused computers to crash on July 19, with widespread economic consequences. Aon estimated that 8.5 million Windows devices were impacted.
The air travel sector alone saw over 3,000 flight cancellations and 23,900 delays due to disruptions in ticketing, operations, and other airport services.
Had the event been deemed malicious, losses could have reached $600 mn to $2 bn, according to Guy Carpenter.
This event highlights the risks of digital supply chain interconnectivity. The disruptions spread beyond CrowdStrike’s direct customers, affecting third-party networks and unrelated industries, according to Guy Carpenter.
Less than 1% of companies globally with cyber insurance were affected. A fix was implemented before the waiting period for business interruption coverage expired, which typically ranges from four to 12 hours in cyber insurance.
Critical for evaluating network interruption claims will be the policy waiting period for which the network must be impaired before the policy responds. Typical cyber waiting periods vary depending on industry class and organizational size with 4–12 hours being most common.
An earlier estimate suggested the widespread CrowdStrike outages could cost Fortune 500 companies $5.4 bn, with 10-20% covered by cyber insurance policies, according to Parametrix. The insured loss could range from $540 mn to $1.1 bn.
Parametrix excluded Microsoft from its estimate of total damages. The outages started with a flawed update to CrowdStrike’s cybersecurity software, creating a logic problem that crashed computers globally.
Global software issue contained in an update released by cybersecurity company CrowdStrike caused computers to crash in the early hours of July 19, with a cascading impact that was felt throughout the global economy.
An estimated 8.5 mn Windows devices have been affected, broker Aon said in its own analysis of the situation.