Two major reinsurance brokers offer their expert insights on the recent CrowdStrike global IT outage, resulting in widespread crashes of Microsoft Windows systems worldwide.
On July 18, cybersecurity company CrowdStrike released a software update for its Falcon Sensor product, designed to detect malicious threats at a computer system’s endpoints. The update resulted in computers worldwide experiencing “blue screen of death” (BSOD) errors.
So far, the update has only affected Microsoft users, with no reports of other operating systems being impacted. The system failure caused by the CrowdStrike update affected a broad cross-section of industries, including airlines, banks, retailers, hospitality, and more.
Guy Carpenter highlights this event as a single point of failure in a complex, global IT supply chain. Cyber insurers should evaluate policyholder supply chain dependencies, assess the potential for aggregation across commonly used technologies, and recalibrate risk tolerances accordingly.
System failure losses will fall under traditional proportional and aggregate structures, which respond to all causes of loss. In recent renewal cycles, buying behavior has shifted towards targeted catastrophe covers, many of which respond to specifically defined catastrophic scenarios. Event-based products and the definitions behind them are unique to the cedent’s view of risk and how coverage was negotiated.
Recoveries from event-based products will differ based on how each underlying wording differentiates coverage between malicious and non-malicious cyber incidents. As this incident progresses, Guy Carpenter will clarify its impacts on assumptions around tail risk and the overall $15.5 billion global cyber industry moving forward.
Given the magnitude and scope of this outage, consequences may affect product lines beyond cyber risk, most prominently directors and officers (D&O) and property/casualty (P&C).
The implications on D&O towers for companies involved in or impacted by the incident may include a potential 10% intraday stock drop for a publicly traded company, which may incentivize class action lawsuits. Subsequent share price movements and any ultimate recovery may also impact the likelihood of litigation.
Historically, securities class actions arising from technology incidents have fared poorly. Companies involved in or impacted by the event may face increased exposure if they struggle to restore operations, potentially facing shareholder derivative suits alleging breach of fiduciary duty by the board.
With the continued integration of IT and operational technology, insurers must also consider the physical consequences that may arise from technology failures. Potential exposure for P&C policies will depend on how insurers address cyber as a peril and whether the policy includes a “silent cyber” exclusion. Policies that remain silent on cyber risk may be exposed to ensuing bodily injury or property damage as a result of cyber-related system failure.
Guy Carpenter stresses the importance of understanding the broader implications of such incidents on the insurance market, underscoring the need for comprehensive risk assessment and strategic planning in light of evolving cyber threats.
Acrisure Re notes that the extent of the problem has been exacerbated by CrowdStrike's popularity among large companies globally. With manual reboots likely required for individual endpoints, IT teams could take days to resolve the issue completely.
Cybersecurity professionals have long been concerned about systemic issues and widespread events. While many believed the most likely cause would be malicious incidents, such as the WannaCry and NotPetya attacks in 2017, this event demonstrates that non-malicious incidents can have similarly wide-ranging impacts.
Acrisure Re points out that Australasia may have been the hardest hit location due to the timing of the update release, as many Western hemisphere users of CrowdStrike were not trading during the attempted update.
The widespread use of CrowdStrike among large global companies underscores the importance of having a broad panel of high-quality cybersecurity vendors to reduce single points of failure.
Insurers are expected to see a wave of notifications in the coming days, with losses likely under business interruption (BI) and dependent business interruption (DBI) clauses. Most cyber policies include triggers for both malicious and non-malicious events, and BI and DBI coverage typically extends to incidents at IT vendors. Some cyber policies also provide DBI coverage for non-IT vendors.
Acrisure Re highlights that insurers will have engaged their panel vendors to work with impacted companies to reduce insured downtime and extra expenses. Insurers may also expect bricking losses if the manual reboot required for individual endpoints is not universally successful, or if the resulting downtime incurs larger BI losses than simply replacing a device.
Acrisure Re notes that over 20,000 companies use CrowdStrike Falcon with Microsoft, and many Managed Security Service Providers (MSSPs) license CrowdStrike for their clients, bringing single points of failure and systemic exposures among SMEs into greater focus. The number of companies relying on a business using CrowdStrike Falcon with Microsoft is estimated to be in the millions.
Insurers will need to develop a plan to manage and address these exposures without withdrawing coverage that is crucial to buyers. In the short term, insurers should maintain their stance until the full picture becomes clear, according to Acrisure Re.
What are your thoughts on this story? Please feel free to share your comments below.