July’s CrowdStrike outage grounded planes, froze payment systems, and – temporarily – halted cancer treatment. Even cyber risk specialists were not immune to the impact of the now infamous ‘blue screen of death’ which flashed up on the world’s computer screens.
“One of our guys in New Zealand was out for dinner with his wife, and couldn’t pay for his meal because the restaurant’s systems were down,” says Troy Filipcevic, CEO of Emergence, an Australian managing general agent (MGA) that specialises in cyber.
Luckily for the Emergence employee, nearby ATMs were not affected by CrowdStrike’s hamfisted update to its Falcon cybersecurity program which had disabled Windows operating systems globally, and he was able to settle his bill.
Filipcevic says the implications of the CrowdStrike failure will be felt for the longer term by the cyber insurance industry, not least because of the current lack of clarity over the size of claims. Industry global loss estimates have varied from an upside of up to US$1bn to US$3bn, but the CEO says it’s too early to tell what the final bill will look like.
“Initial estimates of CrowdStrike losses are just thumb in the air, quick and dirty calculations, and the full impact won’t play out in the next week or two – instead it will be well into 2025 before the full cost becomes clear”, he says.
Troy Filipcevic
CEO of EmergenceLucking out
So far Emergence has received loss notifications from large corporate clients but none from SMEs and Filipcevic says this is part of a broader pattern of big firms being hit hardest by CrowdStrike – ironically because the cyber security services on offer by the Texas-headquartered tech firm are too expensive for smaller businesses.
CrowdStrike charges for its software based on what is known in the cyber security industry as ‘endpoints’ – each endpoint is the final interface of a network such as: laptops, desktops, mobile phones, tablets, servers, and even virtual environments.
“If you start to multiply these endpoints for corporates the number is huge, and firms are paying 50 to 100 bucks per endpoint. The outage hit corporates but not – generally – SMEs because smaller firms can’t afford to implement CrowdStrike’s solutions,” he says.
“SMEs are kind of priced out of the market in this instance so all those cafes and businesses in SME land avoided problems basically down to luck, and instead the impact has been on major corporates like banks – firms in that big end of town,” Filipcevic adds.
Luck not only played a role in keeping SMEs safe from the impact of CrowdStrike. Filipcevic says that for Australian firms timing was also on their side. The software update was released on Friday 19 July at 04:09 UTC (AKA Greenwich Mean Time), just as the Antipodean working week was drawing to a close.
That Friday feeling
Had the tech glitch happened on a different day Filipcevic says the impact on businesses in Australia – and the level of insured losses – could have been much larger.
“It would have been a different scenario if it had happened on a Monday morning, or in the middle of the week. The fact it was late on Friday meant the impact on Australian businesses was lessened. In other parts of the globe where it was Friday morning, or for firms with a seven day week operations then obviously there was an impact over the weekend.
From an Australian loss of revenue perspective, the timing of the incident limited potential insured losses,” he says.
Future outages could come at any time and Filipcevic says that CrowdStrike’s error has focussed businesses attention not just on cyber risk itself but also that IT systems are vulnerable to a greater range of threats than simply bad actors.
Australia has been hit by a number of high-profile attacks in recent years. The DP World Attack in November crippled activity at a port operator which handles 40% of the country’s shipping, and earlier in 2024 eScripts provider Medisecure demonstrated its systems didn’t live up to the company’s name when over 12 million patient records were lifted by hackers.
These incidents raised the profile of cyber risk in Australia, and Filipcevic says the subsequent CrowdStrike incident made businesses aware of the number of ways IT systems can be compromised in addition to malicious actions.
Troy Filipcevic
CEO of Emergence“CrowdStrike raises the profile of cyber risk in general. It also sheds a different light on cyber insurance. This was essentially a software upgrade that went wrong, and impacted hundreds of businesses. They weren’t hacked. They didn’t suffer a cyber event. And they didn’t have a data breach.
It was a provider that impacted their IT infrastructure and brought it down. This wasn’t a guy in a hoodie after a ransom. It’s ironic that one of the global leading antivirus software providers brought down a ton of computers,” Filipcevic says.
Crisis management
Crisis and opportunity are closely linked and the CEO says that the recent glitch gives the cyber insurance sector a chance to talk to firms about issues such as contingent business interruption which he estimates is offered by at least half of the market.
Munich Re recently said that it expected losses from CrowdStrike to prompt a ‘recalibration’ of cyber insurance pricing upwards following two years of price declines.
“I wouldn’t be surprised, depending on the size of the actual losses, if companies go back to recalibrating their pricing and maybe adding a little bit more rate, if their portfolio was affected,” Miguel Canals, Senior Vice President, Cyber Treaty Underwriter for Munich Re, told a recent industry conference in Hong Kong.
Filipcevic takes a different view. Instead, he says that at a global level the industry holds enough premiums to deal with claims without needing to raise prices.
“There’s enough money in the premium pool at a global level, that this shouldn’t have a significant impact on the levels of cover provided, or result in insurers leaving the market and premiums increasing. This is a time for the cyber insurance market to step up and show its worth.”
