The recent CrowdStrike event has underscored the risks associated with digital supply chain interconnectedness. The incident not only affected CrowdStrike's customers but also extended through third-party networks, impacting various unrelated industries.
Despite the disruption, insurers have largely maintained their coverage for clients, reflecting the cyber insurance market's resilience.
In its latest report, Guy Carpenter has provided estimates and insights into the losses from this event, evaluating its implications for underwriting and catastrophe risk management. While the affected devices represent only a small fraction of Microsoft's total, the update issue caused significant global operational disruptions.
This included the cancellation or delay of over 7,000 flights and impacts on critical infrastructure sectors like healthcare, retail, financial services, and hospitality. Many insured parties have filed notices of circumstances, and the claims process is still in its early stages.
The event has prompted consideration of accidental event scenarios alongside malicious ones by cyber catastrophe model vendors. The CrowdStrike outage, while non-malicious, highlighted the difference in response and cost between accidental and malicious incidents, such as those involving system failure, which lack costs like forensic expenses and data restoration that are common in malicious cases.
Guy Carpenter estimates that the non-malicious nature of the outage limited its overall impact. Less than 1% of companies with cyber insurance globally were affected. The rapid deployment of a fix allowed many organizations to address the outage before the typical four- to 12-hour waiting period for business interruption claims expired.
As a result, the estimated insured loss ranges between $300 million and $1 billion. Guy Carpenter's findings suggest that most insurers will not experience material losses from this event, although variations in policy wordings, industry sector concentration, and system failure coverage uptake could influence outcomes.
In a scenario where the event had been malicious, Guy Carpenter estimates that losses could have reached between $600 million and $2 billion. This potential severity highlights the increased risk for organizations dependent on widely used software and operating systems.
The incident also provided a learning opportunity for both technology providers and their clients. CrowdStrike's quick response and transparency helped mitigate the disruption, and the company has announced measures to reduce the risk of similar events in the future.
This event serves as a reminder of the need for robust risk management practices in the face of technology-dependent operations.
What are your thoughts on this story? Please feel free to share your comments below.
