The CrowdStrike outage will be extraordinarily costly to the cyber insurance market. In fact, CyberCube, a company specializing in quantifying cyber risk, estimates insured losses from the July 19 event at between $400 million and $1.5 billion to the standalone cyber insurance market.
How will the CrowdStrike outage impact the cyber insurance industry? And what of its potential impact on MSSPs?
Dustin Bolander, CEO of Beltex, a cybersecurity insurance policy designed for MSPs, told MSSP Alert that there are going to be a lot of people surprised to find out that they are not covered, as most cyber insurance policies are designed around an attack.
"I do not believe that many on the insurance side considered this type of incident," he said. "I was looking at a policy for a financial services company earlier this week and it specifically excluded software design flaws. My guess is we’re going to see a lot of exclusions for the business interruption coverages this falls under."
Bolander explained that this is really a situation of “read the fine print.” For the ones that do have claims, with how large the impact was, he thinks there we will definitely see some increases in premiums, but overall.
"I am not seeing a large impact yet, at least in the SMB space where I focus," he said.
And what of the potential impact on MSSPs and MSPs?
"The biggest problem is going to be the MSSP/MSPs who bundle CrowdStrike into their services," Bolander said. "Who is left holding the bag? This is also a bad look for the insurance industry after pushing MSSP services when many are powered by CrowdStrike. I do not mean anything bad against CrowdStrike. This could have happened to a lot of software companies, and it will happen to someone else."
Bolander added that insurance has been wary of MSPs for years, especially around incident response and claims.
"I can’t tell you how many times I’ve heard 'the fox watching the hen house,'" he said. "The last several months they suddenly decided that does not apply to them, and start selling CrowdStrike or another MDR service, now this happens. I think you’re going to see a big backlash to insurance providing the actual security tools going forward."
In its July 25 blog, cyber insurer Coalition's CEO Joshua Motta advised the CrowdStrike outage will continue to be a topic of great interest for (re)insurers, regulators and the broader cybersecurity community as 15 companies worldwide account for 62% of the market for cybersecurity products and services. He noted that the incident highlights the ongoing discussion about risk aggregation and how (or whether) the insurance industry can insure widespread events.
"We also expect that impacted companies and their insurers will pursue indemnification from CrowdStrike, whose liability remains to be determined," Coalition co-founder and CEO Joshua Motta wrote.
Data Still Coming In, Losses Being Assessed
The faulty CrowdStrike Falcon Sensor update and subsequent outage — that triggered the Blue Screen of Death — would represent a loss ratio impact of roughly 3-10% on global cyber premiums of $15 billion today, CyberCube reports. And it would be the largest single insured loss event in the history of the cyber insurance industry over the past 20 years.
CyberCube describes the outage as "a major event for the cyber insurance market” but noted that it “does not come close to the destructive potential that leading insurers are holding capital against.”
CyberCube's Cyber Aggregation Event Response Service (CAERS) was activated as a result of the CrowdStrike outage. CAERS provides up-to-date intelligence on major cyber catastrophes worldwide as they unfold to ensure clients have information that is relevant and tailored to the insurance market, according to CyberCube.
CyberCube said its current estimates are provisional and based on the best available information, as the event is still unfolding, with a relatively significant percentage of systems yet to be restored. CyberCube expects cyber insurance carriers to see disproportionate losses in portfolios that have significant large corporate exposures.
“The non-malicious nature of the event also affects the insurance coverage that is triggered in policies,” CyberCube said in a statement. “This means that contingent business interruption from ‘system failure’ will likely be the loss trigger. This coverage may not be offered as standard in many policies and where offered, will often be sub-limited.”
CyberCube noted that each insurance carrier’s claims experience depends on some pivotal criteria relating to the characteristics of their specific portfolio. That criteria includes coverage for non-malicious system failure, contingent business interruption and the makeup of insureds in that portfolio. CyberCube explained that each insurance portfolio will substantively differ in these respects, so it would not be accurate to apply cyber insurance market share allocations to reach an individual carrier’s loss potential.
Parametrix Assesses Potential Losses
In a report from Reuters, U.S. Fortune 500 companies, excluding Microsoft, whose faulty code caused the outage, will face $5.4 billion in financial losses over the outage, according to Parametrix, a specialist in mapping, assessing and modeling cloud outage risks for the cyber insurance industry. Insured losses from the outage will likely total $540 million to $1.08 billion for the Fortune 500 companies, the insurer said in a statement.
The outage was likely to be "the biggest accumulation event we ever saw in cyber insurance," Parametrix CEO Jonatan Hatzor told Reuters. "This event travelled very fast and was very global."
Hatzor estimated the total global insured losses at between $1.5 billion to $3 billion, and that financial losses globally from the outage could total around $15 billion, as companies struggle to get their computers back up to speed.
