Last week, Tokio Marine HCC, the international insurance group, released its annual Top 10 Cyber Incidents report for 2024. One of the largest disruptions in IT history - the CrowdStrike outage - came in at number one.
This infamous event, six months ago, blindsided many insurance industry stakeholders and caused estimated financial losses of US$5.4 billion. Insurers got off lightly: the relatively rapid recovery meant many business interruption (BI) policies failed to trigger.
Looking back, Anish Sinha (main picture, above) sees the CrowdStrike incident as a wake-up call for insurers and the business world at large.
“The CrowdStrike outage finally put cybersecurity insurance in the firm view of every CEO and business owner in this country,” said Sydney-based Sinha, COO of upcover.
The insurtech firm he co-founded blends insurance distribution with insurance broking. His CEO, Skye Theodorou, is a qualified broker.
“That a black swan event like this [CrowdStrike incident] could happen and bring all business activity to a standstill was made visibly clear,” he said.
Sinha said our hyper connected world means SMEs can be among the most vulnerable to interruptions from these types of events.
“Unfortunately, not even insurers are well-positioned to predict the severity of such events when they happen and guard against their fallout,” he said.
However, the COO said because it raised cyber awareness, this event was a good thing for the industry.
“On a surface level it's bizarre that we would consider this to be a positive,” he said. “But the risk of a massive event like this happening has always been front of mind for those offering coverage in this category of insurance.”
Sinha said the lack of precedents for cyber or IT events like this makes risk modelling and pricing extremely difficult for an insurer.
“Insurers should also aim to increase coverage penetration among small business owners rather than passing on the steep price increases to their existing policyholders,” he said.
He suggested the broad impact of the CrowdStrike outage could be prompting more businesses to consider taking out cyber insurance.
Increasing cyber insurance penetration among SMEs continues to be a major broker challenge. According to CFC Underwriting, a specialist cyber insurer, only about 10% of SMEs in Australia buy this coverage.
One major impediment for small businesses can be the high cost. However, the result of not having cyber insurance can be more costly.
During a December webinar for Aussie brokers, Philippa Davis, CFC’s international cyber team leader, said 60% of SMEs without a cyber policy shut down their business within six months of suffering an incident.
“There are so many people that have no idea that everything they’ve built over the last 25 years could go in one cyber incident,” he said.
The Tokio Marine report said that the CrowdStrike event demonstrated that the “highly concentrated” market of cloud service providers is now a systemic risk for businesses. According to the report, together, Amazon and Microsoft have more than 60% of cloud market share.
“Cloud providers host not only individual companies but also the platforms and software ecosystems that support global supply chains,” said the report. “A failure or breach in a leading cloud provider can disrupt thousands of dependent services simultaneously.”
The report’s authors recommended several strategies to mitigate the risks of using cloud providers:
Where a firm’s data and systems use multiple cloud providers.
It shifts some computer operations “closer to end users to distribute dependency.”
Where cloud providers are required to “maintain high resilience and transparency standards.”
However, the authors said mitigating cloud risks does introduce challenges for a business. Those include an increase in the cost and complexity of managing IT and cyber systems.
The report suggested that the CrowdStrike incident has contributed to firms considering on-premise data centres “in certain scenarios”. These facilities, the authors said, can reduce risk by minimising exposure to “third-party failures” and also simplify compliance requirements.
Are you a cyber insurance stakeholder? What do you see as the most important cyber incident of 2024 and why? Please tell us below.