Global disaster resulted in waves of losses, reinsurance specialists claim.
Two prominent reinsurance brokers provide professional insights into the recent CrowdStrike global IT disruption, which caused widespread breakdowns of Microsoft Windows systems around the world.
CrowdStrike, a cybersecurity company, issued a software upgrade for its Falcon Sensor product on July 18. The Falcon Sensor is meant to identify harmful attacks at the endpoints of computer systems. The upgrade caused PCs all over the world to experience “blue screen of death” (BSOD) issues.
So far, the upgrade has only impacted Microsoft customers; there have been no reports of other operating systems being affected. The system failure triggered by the CrowdStrike update impacted a wide range of industries, including airlines, banks, merchants, hospitality, and others.
Guy Carpenter draws attention to this incident as a lone weak link in an intricate, international IT supply chain. Cyber insurers must to analyse the supply chain dependencies of their policyholders, appraise the possibility of aggregation across widely utilised technologies, and adjust risk tolerances correspondingly.
Traditional proportional and aggregate structures, which address all causes of loss, will apply to system failure losses. Targeted catastrophe coverage, many of which react to precisely defined catastrophic events, have become more popular in recent renewal cycles. The definitions underlying event-based policies are specific to the cedent’s understanding of risk and the manner in which coverage was negotiated.
Recoveries from event-based products will differ based on how each underlying wording differentiates coverage between malicious and non-malicious cyber incidents. As this incident progresses, Guy Carpenter will clarify its impacts on assumptions around tail risk and the overall $15.5 billion global cyber industry moving forward.
Given the magnitude and scope of this outage, consequences may affect product lines beyond cyber risk, most prominently directors and officers (D&O) and property/casualty (P&C).
Historically, securities class actions resulting from technological incidents have performed poorly. Companies involved in or affected by the incident may face additional liability if they struggle to resume operations, perhaps leading to shareholder derivative litigation alleging violation of fiduciary duty by the board.
With the continuous integration of IT and operational technology, insurers must consider the physical consequences of technological failures. The potential risk for P&C coverage depends on how insurers address cyber as a peril and whether the contract includes a “silent cyber” exclusion. Policies that do not address cyber risk may leave them vulnerable to bodily injury or property loss as a result of a cyber-related system failure.
Guy Carpenter stresses the importance of understanding the broader implications of such incidents on the insurance market, underscoring the need for comprehensive risk assessment and strategic planning in light of evolving cyber threats.
Acrisure Re weighs in on CrowdStrike outage
Acrisure Re notes that the extent of the problem has been exacerbated by CrowdStrike’s popularity among large companies globally. With manual reboots likely required for individual endpoints, IT teams could take days to resolve the issue completely.
Cybersecurity professionals have long been concerned about systemic issues and widespread events. While many believed the most likely cause would be malicious incidents, such as the WannaCry and NotPetya attacks in 2017, this event demonstrates that non-malicious incidents can have similarly wide-ranging impacts.
Acrisure Re points out that Australasia may have been the hardest hit location due to the timing of the update release, as many Western hemisphere users of CrowdStrike were not trading during the attempted update.
The extensive use of CrowdStrike by large worldwide corporations emphasises the need of having a diverse set of high-quality cybersecurity vendors to reduce single points of failure.
Insurers are expected to receive a flood of notices in the coming days, with losses most likely covered under business interruption (BI) and dependent business interruption (DBI) provisions. Most cyber policies have triggers for both harmful and non-malicious events, and BI and DBI coverage often includes incidents involving IT providers. Some cyber plans include DBI coverage for non-IT vendors.
Acrisure Re highlights that insurers will have engaged their panel vendors to work with impacted companies to reduce insured downtime and extra expenses. Insurers may also expect bricking losses if the manual reboot required for individual endpoints is not universally successful, or if the resulting downtime incurs larger BI losses than simply replacing a device.
Acrisure Re notes that over 20,000 companies use CrowdStrike Falcon with Microsoft, and many Managed Security Service Providers (MSSPs) license CrowdStrike for their clients, bringing single points of failure and systemic exposures among SMEs into greater focus. The number of companies relying on a business using CrowdStrike Falcon with Microsoft is estimated to be in the millions.
Insurers will need to develop a plan to manage and address these exposures without withdrawing coverage that is crucial to buyers. In the short term, insurers should maintain their stance until the full picture becomes clear, according to Acrisure Re.
