Parametrix estimates the direct financial loss for US Fortune 500 companies (excluding Microsoft) from the CrowdStrike outage at $5.4 bn.
Fortune 500 healthcare companies face the largest loss at $1.938 bn, followed by banking at $1.149 bn. The six Fortune 500 airlines may see approximately $860 mn in losses.
Cyber insurance policies cover only 10% to 20% of these losses. The average loss per Fortune 500 company is $44 mn, ranging from $6 mn (manufacturing) to $143 mn (airlines).
Parametrix estimates the insured loss from the CrowdStrike outage to be between $540 mn and $1.1 bn.
This outage affected 8.5 mn Windows devices due to a corrupted software update from CrowdStrike.
Jonathan Hatzor, co-founder and CEO of Parametrix, notes that the analysis highlights the extent and boundaries of a systemic cyber loss event. It shows how insurers and global reinsurers can diversify their cyber risk portfolios to minimize systemic risk impacts.
Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries
Jonathan Hatzor, co-founder and CEO of Parametrix
The analysis indicates that cyber insurers focusing on large companies will face greater losses compared to those with a large SME book.
While prevention is crucial, risk carriers have limited control over event occurrences and service-provider practices. The industry should focus on controllable areas like mapping and managing aggregation risk.
Understanding these points helps evaluate key exposures and mitigate threats, enabling better underwriting decisions and effective risk-transfer solutions to manage systemic risk, says Jonathan Hatzor.
CrowdStrike’s impact on global (re)insurer financial results
The recent cybersecurity software incident at CrowdStrike is unlikely to have a material impact on global (re)insurer financial results, according to Fitch Ratings.
Preliminary market estimates indicate that global insured losses in the mid- to high single-digit billions ($ bn) will not significantly impact insurers. However, ongoing claims and litigation could affect this.
The most affected insurance lines include business interruption, contingent business interruption, and cyber. Smaller lines such as travel insurance, event cancellation, and technology errors and omissions will also be impacted. Policy terms and conditions vary widely across regions, sectors, and business lines. We will update our analysis as more information becomes available.
Several mechanisms will limit insured losses, including lack of coverage, high deductibles, sublimits, and time element periods for business interruption claims. Most business interruption claims from cyber events have time element periods of eight to 12 hours. Claims will mostly fall within primary insurers’ retentions.
Industries like hospitals and airlines, which require 24/7 availability, will be more affected due to their lack of robust redundancies.
APAC and EMEA regions experienced more disruption during their workday compared to the Americas, which had a solution involving physical access to machines and, in some cases, a recovery key.
Microsoft estimated that the update affected 8.5 mn devices, less than 1% of all Windows machines. However, this incident highlights the growing risk of single points of failure (SPoF).
SPoF are critical bottlenecks in systems that, if impacted, significantly affect the system. SPoF risk has been modeled for cloud outages and popular software like operating systems. However, it has not been well modeled for industry-specific software such as CrowdStrike or ChangeHealth.
SPoF risks are likely to increase as companies consolidate to leverage scale and expertise, resulting in fewer vendors with higher market shares.
Using multiple, redundant vendors can mitigate SPoF risks but adds complexity and costs, often not feasible.
SPoF risks underscore the challenges in modeling cyber risk. The frequency of events is low, but their potential severity can be significant based on outage duration, compounding events, and uncertain remediation costs and liability exposure.
Developing the cyber risk transfer market and securitization requires product maturation, including standardized coverage terms, policy language, price discovery, and risk modeling.
Cyber risk remains difficult for insurers to assess due to dynamic claim root causes. Challenges include a lack of effective modeling tools and limited historical claim data, where past events do not necessarily indicate future risks. Early insurance-linked securities (ILS) deals within cyber-risk transfer will involve easier-to-model, modest-sized cyber risks.
About CrowdStrike outage
The CrowdStrike outage in July 2024 caused one of the largest information technology disruptions in history. A flawed software update from CrowdStrike led to crashes of approximately 8.5 mn computers running Microsoft Windows.
This incident affected industries and government operations worldwide, with economic losses estimated in the billions of dollars.
The technical cause was an update to a configuration file that triggered a logic error, resulting in system crashes and preventing proper rebooting.
The issue was not a cyberattack but rather a software update problem that led to widespread global impact, grounding flights, disrupting banking and healthcare services, and causing interruptions in emergency services.
CrowdStrike outage key points
- Extent of Impact: The outage led to substantial financial losses for US Fortune 500 companies, estimated at $5.4 bn.
- Insurance Coverage: Cyber insurance policies covered only 10% to 20% of the losses. The weighted average loss per affected Fortune 500 company was $44 mn
- Insured Loss Estimates: The insured loss from this outage ranged between $540 mn and $1.1 bn.
- Systemic Risk: The outage highlighted the potential for systemic cyber loss events, showing the widespread and severe impact such incidents can have. It also emphasized the need for insurers and reinsurers to diversify their cyber risk portfolios to mitigate the effects of such systemic risks.
CrowdStrike CEO George Kurtz publicly apologized for the incident, acknowledging the significant disruptions it caused.
Despite fixing the update, many affected systems required manual intervention to resolve the issue, complicating the recovery process for organizations.