Moody’s: Insurance losses from CrowdStrike outage will be driven by business interruption

CrowdStrike outage expected to spur demand for cyber insurance and drive further focus on systems failures.

The global IT outage stemming from a faulty CrowdStrike software update on July 19 will lead to cyber insurance losses primarily driven by business interruption claims, Moody’s Ratings said in a report released on Monday. A figure of $1.5 billion for insured losses has been floated.

Moody’s warned that determining final losses for the industry will be a lengthy process due to cyber insurance policy language not being standardized.

The US and European insurance markets will be most affected. At the moment CrowdStrike deployed its disasterous update, “more Asia-Pacific systems were online than European and US systems, but Europe and the US have a greater share of cyber insurance coverage than does the Asia-Pacific region,” Moody’s Reports said.

Estimating losses

Businesses are expected to make claims under “systems failure” provisions, coverage that is becoming standard for cyber insurance policies, because the incident was not considered a malicious attack. Moody’s said insured organizations will link claims to direct business losses as well as contingent losses of third-party vendors. The outage is also likely to spur larger reviews of underwriting, with a focus on systems failure, according to Moody’s.

Insured losses from the outage will likely total $540m to $1.08 billion for Fortune 500 companies (excluding Microsoft), Parametrix said in a statement. The outage was likely to be “the biggest accumulation event we ever saw in cyber insurance,” Parametrix CEO Jonathan Hatzor told Reuters.

CyberCube has released a range of $400m to $1.5 billion for just the standalone cyber insurance market, which represents 3% to 10% of the $15 billion in global cyber premiums held today.

The healthcare and banking sectors are set to record the largest direct losses in the US as a result of the global disruptions caused by a faulty CrowdStrike software update crashing Windows systems.

“Claims from the outage will be made for direct losses to the insured because of their own system failure as well as contingent business interruption caused by an insured’s vendor being affected by the outage. A smaller number of claims may emerge from technology errors and omissions policies, Moody’s said.

“Utilizing multiple, redundant vendors can help offset SPoF risks, but can also add increased complexity and costs that often are not feasible,” Fitch said.

Cyber insurance policies will likely cover no more than a sliver of the losses – perhaps 10% or 20%, if anything – “due to many companies’ large risk retentions, and to low policy limits relative to the potential outage loss,” Parametrix said. Losses nonetheless will add up to a “big loss” for cyber insurers, Hatzor told S&P Global.

Fitch Ratings said several factors will limit the number and size of claims, such as waiting periods in some cyber insurance policies, self-insured retentions or the timing of the outage.

“Preliminary market estimates of global insured losses that range in the mid- to high single digit billion USD would not translate into a material impact for (re)insurers, but they are subject to ongoing claims and litigation. The insurance lines most affected will be business interruption, contingent business interruption and cyber. Several smaller lines such as travel insurance, event cancellation, and technology errors and omissions will also be affected,” Fitch said.

Systems failure coverage

Moody’s said it expects underwriters to evaluate the scope and nature of the event and adjust their underwriting, focusing on systems failure coverage. But, not all systems-failure coverage will apply to this incident, it said, since some policies exclude nonmalicious events or have to reach a certain threshold of losses before being triggered, it noted.

“Although insurers have improved their ability to analyze potential insured losses related to individual data breaches, ransomware losses, and business interruption, it remains challenging to analyze widespread outages. Cyber modelling has advanced, but the risks are constantly evolving, which creates uncertainty around return periods and the likelihood of an event.”

The CrowdStrike outage will prompt further scrutiny of risk aggregations and modelling practices and spur demand for cyber insurance, Moody’s predicted.

Legal experts have noted that lawsuits tied to disputes over insurance compensation for the outages could take years to work through the courts.

SPoFs

The global outage revealed the broad risks posed by a single point of failure (SPoF) and the degree to which many segments of the economy are interconnected and interdependent; Moody’s compared it to supply-chain cyber attack. SPoFs are critical bottlenecks in the delivery of systems that, if affected, will have an outsized effect on the system.

SPoF risk has been modeled for cloud outages and popular software such as operating systems; however, it has not been well modeled or understood for industry-specific software such as CrowdStrike or – more recently – ChangeHealth, Fitch points out.

“SPoFs are likely to increase as companies seek consolidation to take advantage of scale and expertise, resulting in fewer vendors with higher market shares. Utilizing multiple, redundant vendors can help offset SPoF risks, but can also add increased complexity and costs that often are not feasible,” Fitch said.

Future Considerations

In a blog post, Damini Mago, Assistant Director for Product Management at Moody’s, offers a helpful list of future considerations and key lessons for enterprises, cybersecurity teams, and the cyber insurance industry at large. Those include:

  • Testing and Validation: Even trusted vendors need to undertake rigorous testing and validation processes before deploying updates. This can mitigate the risk of widespread disruptions.
  • Rollback Mechanisms: Enterprises should have robust rollback mechanisms in place to quickly revert to previous states in case of problematic updates.
  • Communication and Support: Effective communication channels and support mechanisms are crucial for guiding users through troubleshooting processes, especially during widespread incidents.
  • Balancing Risk: Organizations must balance the need for automatic updates to protect against malicious threats with the potential risks of such updates causing disruptions.
  • Insurance Clarity: Clear understanding and documentation of cyber insurance policies are essential to determine coverage in connection with such incidents.