Jobs Publications Sustainability Innovations
General inquiries
Phone 058 285 85 85
From outside Switzerland: +41 58 285 85 85
Contact
The CrowdStrike Outage and What it Could Mean for Insurance
Blog The CrowdStrike Outage and What it Could Mean for Insurance
Sibylle Fischer September 2, 2024 Digitalisation, Cyber
How will the CrowdStrike outage impact the way we price and underwrite cyber risk?

CrowdStrike’s botched update and subsequent IT outage this July had global repercussions, leaving businesses and investors with many outstanding questions, including around how to effectively price and underwrite cyber risk.

The incident

CrowdStrike is a widely implemented cloud-based threat detection software used by multinational corporations, government agencies and countless other organisations to protect against hackers and cyber attacks.

On July 18, 2024, a botched software update from CrowdStrike rendered thousands of Microsoft Windows machines around the world temporarily useless, as they experienced the “Blue Screen of Death” when attempting to boot up.

The incident led to a global IT outage that halted flights, closed retailers, delayed surgeries and generally caused widespread operational havoc for banks, airlines, rail providers, and many other businesses.

According to Parametrix data: a quarter of the Fortune 500 experienced direct costs. That amounts to some 125 corporations, including: 100% of airlines, 75% of the health and banking sector, and 43% of retailers and wholesalers.

Why did it happen?

We now know the CrowdStrike outage was neither a security incident nor a cyber attack, but rather an undetected error in a security software update made to CrowdStrike’s Falcon Sensor product, which resulted in a Windows operating systems crash.

As CrowdStrike continues to recover from the incident, it's investigating and providing updates – outlining its remediation efforts and also some planned preventative actions it will take to stop a similar crash from happening in the future.

What comes next?

The CrowdStrike outage has given the world a potent illustration of the fragility of our global technology systems, which we’ve now seen can be devastated by a single piece of flawed software. And though the world is no stranger to technology-driven outages, the scale of the CrowdStrike incident is particularly unsettling. Many of the most impacted sectors are being urged to conduct more thorough risk assessments of their systems, especially any third-party dependencies they may have. Some are also drafting contingency plans to be used in the face of different potential scenarios.

Pricing cyber risk

Though the total impact to insurers is still unfolding, the CrowdStrike outage represents a significant test to cyber insurance underwriters – with losses among U.S. Fortune 500 companies thought to be somewhere in the neighbourhood of $540 million to $1.8 billion.

The incident has also helped renew lingering scepticism around pricing cyber risk. Warren Buffett has weighed in, asserting the potential for huge losses in cybersecurity insurance and urging caution. Others expressed uncertainty around how insurers calculate risk and determine liability and cost for cyber catastrophe events. For example, business interruption insurance may be triggered by certain intentional security incidents or acts, but does it apply to a random system failure like we saw with the CrowdStrike incident?

In a tech-enabled world, where most every company large or small is running at least partially digitally (for example, a bakery using PoS software), all operations are on some level digital operations carrying cyber risk. Which begs the question: can cyber policies actually assume this much risk? At this massive scale, max ceilings for payouts (and lots of reinsurance) will be essential. However, when it comes to future catastrophic disruptions, there remains a fair amount of grey area. New types of policies (thinking more along the lines of how insurers cover environmental disasters) may be necessary for global events like the CrowdStrike outage.

Today, the number of cybersecurity policies being written is still relatively small, but many analysts expect that to change, as cyber is currently one of the fastest growing segments in insurance. Consequently, when it comes to mitigating cyber loss, there is likely to be more focus in coming months and years on having the right data and tools to both price cyber risk, and prevent cyber losses, more effectively.

What innovation topics does the insurance industry deal with? Read on! All news & stories.