$0.96 billion industry-wide loss experienced by US cyber insurance policyholders impacted by the CrowdStrike IT outage has been forecasted by cyber insurance provider Coalition, a low figure compared to the losses of natural catastrophe events that routinely impact the insurance industry.
The IT outage took place on July 19, caused by a corrupted software update CrowdStrike sent out to its huge number of customers.
This led to widespread issues with Microsoft’s Windows, affecting 8.5 million Windows devices, with the healthcare, financial and air travel industries feeling the biggest impact.
The CrowdStrike outage – which has been called “the largest IT outage in human history” – is the third material supply chain outage of 2024, following the outages of Change Healthcare, impacting thousands of hospitals, pharmacies, and medical practitioners, and software vendor CDK, impacting thousands of car dealerships.
Despite the significant impact of these events, Coalition does not “expect any to reach the levels of loss of natural catastrophe events that routinely impact the insurance industry,” Joshua Motta, CEO and Co-founder of Coalition, stated.
He continued: “Our own modelling, leveraging our Active Cyber Risk Model, suggests a $0.96 billion industry-wide loss experienced by US cyber insurance policyholders at the upper bound prior to consideration of coverage limitations.
“Of course, any model of this event will also be highly sensitive to the least credible assumption (most likely, the share of impacted systems), which if reduced, would decrease our estimate to $0.27 billion (or lower).”
According to Motta, this figure has resulted, in a very small part, due to the fact that impacted organisations are insured for amounts far lower than their actual financial losses.
As well as due to the cyber insurance industry having the advantage of affirmatively covering cyber perils, including thoughtfully designing coverage to avoid large systemic risk aggregation, the executive highlighted.
He added: “Cyber insurance cynics also routinely (and massively) underestimate the amount of technological diversification across organisations that limit the possibility for systemic loss, as well as the ability of organisations to quickly learn, react, and even cooperate with others to dramatically reduce the severity of losses.
“Attempts to analogize cyber catastrophes with natural catastrophes are profoundly misguided as a result. Case in point: the 8.5 million computers impacted in the CrowdStrike outage account for less than 1% of computers running Windows, according to Microsoft, and represent an even smaller fraction of the estimated 10 billion+ computer systems in operation globally. Many, although not all, organisations were able to recover within hours, if not days.”
By leveraging massive data sets and analytical capabilities cyber insurers line Coalition is able to accurately model and assess common disaster scenarios. These models are then used to determine how these scenarios can be covered and at what cost.
Because of this, the insurer has been able to predict that events like the CrowdStrike IT outage “are unlikely to reach catastrophic levels,” although the failure of more ubiquitous software products could, according to Motta.
When talking about the broad cyber insurance marketplace, particularly among those with lesser capabilities, Motta said that the insurer “expects these concerns will more likely be addressed by changing and, in some cases restricting or excluding coverage.”
He continued: “Some insurers have already introduced catastrophic or widespread loss sub-limits and exclusions that may limit or exclude coverage for specific cyber losses that impact a large number of organisations.
“Others are adding dependent or contingent business interruption sub-limits, exclusionary language that may apply to organisations that weren’t direct targets (but suffer consequences of a supply chain cyberattack), or removing the coverage altogether, even if only temporarily.”