Insured losses from the CrowdStrike IT outage on July 19 that impacted companies across several key industries could reach into the billions of dollars, but will not likely cause any major financial impact for global insurers and reinsurers, according to estimates.
On July 19, cybersecurity company CrowdStrike released a software update that impacted IT systems globally for computers powered by Microsoft Windows. Microsoft, in a blog post, estimates the CrowdStrike update affected 8.5 million Windows devices, or less than 1% of Microsoft machines. But Microsoft adds, “While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services.” The impact of the outage quickly made headlines, particularly in the airline industry when major flight delays were announced throughout July 19. Delays continued into the following days. Other major industries were impacted as well, including banking, finance, and health care.
Insurer Parametrix said in a statement that U.S. Fortune 500 companies, excluding Microsoft, are expected to see direct financial losses of about $5.4 billion, but the portion covered by cyber insurance policies “is likely to be no more than 10% to 20%, due to many companies’ large risk retentions, and to low policy limits relative to the potential outage loss,” Parametrix adds that the largest direct financial loss will be suffered by Fortune 500 companies in the healthcare sector ($1.9 billion) and banking ($1.1 billion). “Companies in these sectors take 57% of the loss, but account for only 20% of Fortune 500 revenues…,” says Parametrix. The event is expected to cost Fortune 500 airlines approximately $860 million against revenue of about $1.9 billion.
Fitch Ratings, meanwhile, says global insured losses from the incident are expected to range “in the mid to high single digit billion [in U.S. dollars],” which Fitch says is unlikely to have a material impact on global (re)insurer financial results.
CyberCube, a firm that analyzes cyber risks, says its cyber catastrophe model estimates preliminary insured losses from the event for the standalone cyber insurance market at between $400 million and $1.5 billion, which the firm adds is about a 3% to 10% impact on the $15 billion in global cyber premiums. CyberCube states, “This scale of loss could make the [CrowdStrike] event the largest single insured loss event in the history of the affirmative cyber insurance industry over the past 20 years.” But the firm adds that an event of this scale “does not come close to the extreme scenarios currently being modeled by cyber insurers and reinsurers.
CLM members and fellows weighed in on the implications of the CrowdStrike event for the insurance industry, the main takeaways, and how such events may be handled and prevented in the future.
Main Takeaways
Edward Donohue, partner, Hinshaw & Culbertson LLP: “The CrowdStrike shutdown was caused by an update intended to enhance Microsoft customer malicious activity sensors. It is relatively unusual for an error like this to remain undetected before it impacts end user machines. A logic error such as this is generally caught sooner and resolved with a simple customer reboot. Here, the error affected individual Windows PCs, causing the so-called ‘Blue Screen of Death.’ That fix is manual and tedious, requiring the entry of a 48-character BitLocker Code.
“A similar large shutdown was caused by a 2010 McAfee virus update. In both instances, the error was blamed on lack of adequate internal quality assurance testing before launching the update.
“However, CrowdStrike’s direct legal liability for the resulting economic loss is far from clear. CrowdStrike’s ‘Terms and Conditions’ (TAC) are robust in limiting its product warranties. ‘Click Wrap’ customer agreement forms such as this are generally upheld by the courts. The TAC disclaims any warranty for failures in its malware search products. The company agrees only to make best efforts to work around errors once detected. Though this TAC may be tested by some customers in court, the better initial strategy is for businesses to review their contingent business interruption insurance. Many contemporary commercial policies cover losses caused by such an incident.”
Jeff Krull, principal, cybersecurity practice leader, Baker Tilly: “Given the interconnectivity of shared services and reliance placed by companies on a small number of global IT suppliers, cyber incidents—whether an intentional attack or an unintentional error such as the CrowdStrike event appears to be—are going to happen. Companies should prepare for various outage scenarios, including the most extreme, where the system no longer exists.”
Bernard Regan, principal, forensic, litigation and valuation services, Baker Tilly: “The CrowdStrike event could be the trigger for cyber insurers to create separate products to segregate incidents arising from systemic or catastrophe events, such as the CrowdStrike occurrence, from the more isolated ransomware and data breach events that the cyber market typically deals with."
“Large volume losses such as the CrowdStrike event will test the capacity of handling claims in the cyber insurance market. Dealing with claim volumes in these magnitudes will be challenging for those relying on traditional means. Affected insurers will likely turn to third-party advisors to employ technology solutions to assist with large volume events such as this going forward. Re-insurers will be looking carefully at their exposure and how to address it for reserving purposes.
“Subrogation (recovery action against CrowdStrike) will be an avenue that insurers will likely consider if they end up paying their clients for business expense/extra expense (BI/EE) losses. Even with insurance in place, uninsured losses (retentions, or non-covered expenses) may exist, in which case direct recovery between those affected and CrowdStrike would be the affected business route to financial recovery. Furthermore, CrowdStrike may provide some kind of credit to their subscribers or some other kind of refund, but this would be based on the contract that is in place between them.”
Nick Vaernhoej, assistant vice president – IT chief information security officer, Church Mutual Insurance: “Friday’s CrowdStrike event caused massive worldwide disruptions. While labeled a ‘cyber event,’ it was caused by a routine update to CrowdStrike’s Endpoint Detection and Response (EDR) software. EDR software is a widely used cybersecurity solution that monitors and responds to threats on desktops, servers and mobile devices.
“Automated updates applied to production systems without validation caused this event to be so disruptive. Without the validation, all systems that received the update were corrupted. IT organizations frequently leverage automated deployments for the efficiency they provide, and most are successful. However, most internal technology departments deploy updates through a disciplined process known as IT Change Control process. Change Control processes ensure technology changes have been thoroughly tested prior to deployment and appropriate recovery plans are ready in case of a failure. In the realm of cyber defense tools, updates often bypass Change Control and are deployed directly to production systems without extensive scrutiny. This approach, though seemingly haphazard, balances risk and reward with the primary objective of keeping the EDR tool up to date to prevent data breaches.
“Our key takeaway is that IT processes and systems rely heavily on trusted service providers and partners, with the understanding that the service providers are using formalized change control processes before deployment. The CrowdStrike event has demonstrated that the expectation of perfection is unrealistic. Therefore, organizations themselves must ensure they have robust Disaster Recovery (DR) and Business Continuity capabilities and plans to recover from this type of event.”
Preparing for Future Events
Krull: “Again, the CrowdStrike event illustrates that given the inter-connectivity of shared services and access to global platforms, there is always a risk of a significant outage incident. No matter the impact to a particular company, an event such as this should make all businesses carefully evaluate their business continuity and recovery plans.
“Companies will prepare for and react differently to system outages depending on the business type and risk tolerance.
“Businesses that can afford some downtime should an outage occur, should have downtime procedures in place and practice them during off-peak times to ensure that they work and that once the company is able to get its systems back online data can be entered/restored.
“Companies whose business models have a very low tolerance for interruptions need to invest in redundancies that will enable them to avoid business interruption and achieve a rapid, full-scale recovery. This can be costly but is often an effective way to protect against a system outage. Redundancy efforts could include multiple cloud providers and local data centers that provide ‘hot sites’ that are ready to go in the event of a system outage or failure. These types of organizations should also test how rapidly they can recover the entirety of their systems from offline immutable backups regularly.”
Regan: “With the type of events occurring, it is not the usual ransomware events that the cyber market, or the corporate are experienced with. These types of ‘out of the blue’ incidents really do have a different response plan than the regular cyber incident responses. With events such as these, the cyber policy language will be tested, and the definitions within the policy will be scrutinized to help understand where the cover lays. One comment we would make is that the cyber policy is often looked at from a ransomware event and not always from a system outage perspective."
Vaernhoej: “Prevention comes with a risk-reward relationship. From a cybersecurity perspective, the risk for a cyberattack is likely higher and it’s advised organizations enable the automated updates to cybersecurity systems, which include vulnerability updates. This decision should be evaluated along with the business impact analysis (determining the criticality of the system and its function). If the system is highly critical for life/safety, the decision may be to delay the updates and further limit access to those devices on the network. These decisions should be part of an organization’s risk evaluations and plans with mitigation strategies. Preventing failures completely is unrealistic. No system or organization can be perfect. The focus should be on planning and preparing for recovery from an unexpected and unpredictable event. Here are some possible solutions:
- “Enhance Disaster Recovery Planning: Ensure your organization has comprehensive and well-tested DR plans in place. Regularly update these plans to adapt to new threats and vulnerabilities. This includes performing system backups, ensuring system recovery keys are archived and available in other formats in the event the backup systems are impacted. Depending on the criticality of the systems, organizations may also consider contracting for incident response services.
- “Continuous Testing: Conduct regular testing of your recovery capabilities. At Church Mutual Insurance Company, we test our capabilities quarterly and continuously address areas of improvement.
- “Prioritize Business Continuity: Embed Business Continuity and Disaster Recovery into your enterprise risk management processes. This approach ensures recovery is a persistent consideration and not a one-time exercise.
- “Support and Training: Provide ongoing support and training for your IT team to handle unexpected events effectively. Encourage a culture of continuous learning and improvement.”