The recent cybersecurity software incident at CrowdStrike is unlikely to have a material impact on global insurer financial results, according to Fitch Ratings.
Preliminary market estimates of global insured losses range in the mid- to high single-digit billions of dollars. While these figures are subject to ongoing claims and litigation, they are not expected to significantly affect insurers.
According to a report from Fitch, the insurance lines most affected include business interruption, contingent business interruption, and cyber insurance. Smaller lines such as travel insurance, event cancellation, and technology errors and omissions will also be impacted.
Policy terms and conditions vary considerably across regions, sectors, and lines of business. Fitch will update its analysis for the sector and rated insurers as more information emerges.
Several mechanisms will limit insured losses, including lack of insurance coverage, high deductibles, sublimits, and time element periods for business interruption claims. Most business interruption claims from cyber events have time element periods ranging from eight to 12 hours. Claims are expected to be mostly within the retentions of primary insurers.
Industries such as hospitals and airlines will be more affected, as they require 24/7 availability and often lack robust redundancies. The APAC and EMEA regions experienced more disruption during their workday compared to the Americas, where a solution to the outage required physical access to machines and, in some instances, access to a recovery key.
Microsoft estimated that the update affected 8.5 million devices, or less than 1% of all Windows machines. This incident highlights the growing risk of single points of failure (SPoF). SPoFs are critical bottlenecks in system delivery that, if impacted, have an outsized effect on the system.
While SPoF risk has been modeled for cloud outages and popular software, it has not been well understood for industry-specific software like CrowdStrike.
SPoFs are likely to increase as companies seek consolidation to take advantage of scale and expertise, resulting in fewer vendors with higher market shares. Utilizing multiple, redundant vendors can help offset SPoF risks but can also add increased complexity and costs, which are often not feasible.
SPoF risks underscore the challenges in modeling cyber risk, as event frequency is low but potential severity can be significant. This is based on the duration of outages, compounding events, and uncertainty of remediation costs and liability exposure.
The development of the cyber risk transfer market and securitization requires further maturation, including greater standardization of coverage terms and policy language, price discovery, and risk modeling applications.
Cyber risk remains difficult for insurers to assess due to the dynamic root causes of claims. Challenges include a lack of effective, widely accepted modeling tools and a limited data set of historical claims, where past events are not necessarily indicative of future risks.
Early insurance-linked securities deals within the spectrum of cyber-risk transfer will comprise cyber risks that are easier to model and quantify and will be of modest size.
What are your thoughts on this story? Please feel free to share your comments below.
