CrowdStrike update triggers complicated “insurance catastrophe”

A software update from cybersecurity firm CrowdStrike caused a global tech outage on 19 July 2024, disrupting a vast array of industries, including finance, healthcare, and travel.

The security update affected 8.5 million Windows devices, according to Microsoft. The update, intended to protect systems from cyber threats, instead resulted in the infamous “blue screen of death” and caused the devices to be non-functional. An update has since been administered to solve the issue, CrowdStrike said.

Well-known cybersecurity researcher Troy Hunt took to X, formerly known as Twitter, to say, “I don’t think it’s too early to call it: this will be the largest IT outage in history.”

According to Cirium, a global aviation analytics firm, at least 5,000 flights were cancelled on Friday worldwide. In comparison, 2,000 flights were cancelled on Thursday before the software issues.

Claims notifications are expected to centre around business interruption (BI), cyber, travel, and supply chain disruptions. However, there is potential for exposure in other lines of business, including directors and officers (D&O). “Silent risks” could also see an accumulation of losses in other property and casualty lines.

Nir Perry, CEO at cyber insurer CyberWrite, labelled the event an “insurance catastrophe” and said economic losses could reach “tens of billions of dollars.”

The insurance industry reacted quickly to the situation, with carriers and brokers, including Beazley, Coalition, Marsh, Howden and Guy Carpenter, publishing explainers, support documents, and key contact details on their respective websites.

It will take time before economic or insurance losses can be calculated more accurately, but early estimates will likely start to trickle through in the coming days to help guide cedents on potential exposures.

“While modelling scenarios do not account specifically for widespread outages due to software updates, there are sufficient analogous scenarios for estimating losses from the event, including business interruption and extra expense,” said Guy Carpenter in a note about the incident.

“While actual losses will vary from modelled instances based on the specific circumstances, such scenarios can establish a directional foothold for cedents to address systemic exposures,” the global reinsurance broker added.

Complex claims

Claims are likely to be numerous, complex and multi-faceted. Ryan Griffin, a Partner focused on cyber at insurance broker McGill and Partners, said insurers are bracing for “hundreds, if not thousands” of claims notifications.

“This mass outage will certainly be felt by the Cyber insurance market,” said Luke Foord-Kelcey, Global Head of Cyber at Howden Re. “However, the full extent of the impact will only become clear over the coming days as we are able to take stock of how rapidly the fixes have been able to be implemented and whether the resulting business interruptions have exceeded the policy waiting periods – and if so, by how much.”

There will be many businesses, particularly in the small to medium enterprise segment, that do not have insurance coverage for any losses they experienced.

While the incident may increase awareness about the importance of coverage for similar events, experts said that even those with policies may not be covered.

Marcos Alvarez, Head of Insurance at DBRS Morningstar, noted that typical business interruption (BI) policies would not cover losses from the outage, adding many cyber insurance policies exclude non-malicious events.

Perry from Cyberwrite adds, “Some cyber insurance policies exclude non-malicious events, and there are waiting periods and deductibles that businesses will have to consider before making a claim with their insurance carriers.”

Responding to claims will take time and involve multiple layers of complexity due to the number of claims, the technical and interconnected nature of the event, and discussions over terms and conditions, which could create heightened tensions between parties.

While claims are likely to be centred around BI, cyber, travel, and supply chain-related lines of business, (re)insurers may find exposure in other business lines as well.

Silent risks

The event could result in legal claims for CrowdStrike and Microsoft, say industry observers.

“Airlines (and other industries) might have rights under their contracts that allow them financial or other remuneration,” said Sam Levine, Senior Vice President – Professional and Cyber Solutions at specialty insurance broker CAC.

In its note, Guy Carpenter also underlined the potential implications for D&O insurance.

“We may see implications on the D&O towers for companies both involved in or impacted by today’s incident. In general, a 10% intraday stock drop for a publicly traded company may incentivise the plaintiffs’ bar to file a class action lawsuit.”

Guy Carpenter also warned that, given the ongoing integration of information technology and operational technology, insurers will need to account for the physical outcomes that may result from technology failures across their broader portfolio.

“Potential exposure for P&C policies will depend on how insurers address cyber as a peril and whether the policy includes a “silent cyber” exclusion,” Guy Carp said.

“Policies remaining silent on cyber risk may be exposed to ensuing bodily injury or property damage as a result of cyber-related system failure,” the global reinsurance broker added.

Systemic risks

The outage also highlights the interconnected and systemic risks associated with commonly used technologies.

“As the (re)insurance industry continues to assess the full implications and root causes of this mass IT outage, the incident reveals far-reaching dependencies inherent in global digital infrastructure,” said Harriet Gruen, Head of Cyber Threat Intelligence at Howden Re.

“This incident underscores the evolving nature of cyber and IT risks and the need for continued investment in developing more sophisticated exposure management tools and techniques,” she adds.

Ciaran Martin, the former Chief Executive of Britain’s National Cyber Security Center and a Professor at the Blavatnik School of Government at Oxford University, echoed the sentiment, commenting, “This is a very, very uncomfortable illustration of the fragility of the world’s core internet infrastructure.”

In April, Munich Re published its 2024 Cyber Risk and Insurance Survey, warning of catastrophic systemic events like cyber war or outages of critical digital infrastructure and calling for public-private partnerships as a precautionary measure of last resort.

“Such scenarios pose a threat to macroeconomic stability, which is why societies need the involvement of governments to manage these potentially catastrophic cyber risks,” said the report.

The CrowdStrike incident itself is likely to be manageable. However, it underlines the connected, digital nature of the world, where a single security update—ironically intended to protect society from bad actors—instead brought global industries and businesses to their knees, albeit only for several hours for the most part.

One positive outcome of the software failure is that it is likely to help raise awareness of the protection gap that exists for businesses.

Earlier this month, Howden had cut its global cyber forecast from US$50bn in gross written premiums by 2030 to ‘close’ to US$40bn due to slowing growth in the US market. A QBE survey published early this year showed that cyber awareness and protection was growing in Hong Kong but declining in Singapore.

The incident is likely to spark awareness and purchasing appetite for cyber cover, particularly in the underserved SME segment, which could test Howden’s outlook and reverse the declining trends in Singapore.

As the full extent of the CloudStrike incident becomes clear, insurers and reinsurers will need to evaluate policyholder supply chain dependencies, assess potential aggregation across commonly used technologies, and recalibrate risk tolerances accordingly.

Once the short to medium term pain dissipates, the event could provide a shot in the arm for insurers in Asia Pacific and globally, invigorating growth for cyber-related premiums and increasing appetite for innovative products such as parametric solutions (see story below).