The CrowdStrike outage: Assessing the fallout for the insurance market?

On 19 July, IT systems across the world were impacted by the CrowdStrike outage following the release of what should have been a routine sensor configuration update to its cloud-based cyber security platform known as Falcon. The update triggered a logic error, which disabled thousands of IT systems globally.

Whilst the fallout from the outage is still being assessed, some experts are already citing it as the largest IT outage in history. According to CyberCube, the outage could cost the standalone cyber market up to USD 1.5 billion.

Whilst these figures may seem quite stark, the impact could have been a lot worse for the insurance industry.

Impact of silent cyber changes

In July 2019, Lloyd’s issued Market Bulletin Y5258, which mandated that policies must address ‘silent cyber’ exposure (i.e., cyber-related exposures covered under traditional policies where the cyber exposure had not been specifically addressed in the policy wording). Lloyd’s was concerned that a large number of existing wordings, many of which were based on policies drafted before the increased widespread use of computer technologies, included exposure to cyber events that was unintended, unexpected and not financially modelled. The bulletin was not limited to malicious cyber events, with it specifically referring to non-malicious acts such as accidental acts and omissions (this would include the CrowdStrike outage).

Following the release of Y5258, many insurers – including those not directly subject to the market bulletin – tightened the cover given by non-cyber policies, either to restrict the extent to which cyber losses were covered, or to exclude such losses entirely.

Whilst it is too early to draw any firm conclusions as to the impact of the changes brought about by silent cyber strategies, it is highly likely that the general tightening-up of policy wordings to exclude unintended cyber exposures will have had a significant impact on reducing the overall loss suffered by the market.

Cyber insurance take-up

The CrowdStrike outage also shines a light on the take-up of cyber insurance (or not, as the case may be).

Although the overall cost to business of the incident has not yet been ascertained, various estimates place the loss at over USD 5 billion in revenues for Fortune 500 businesses alone, with overall losses globally significantly exceeding that number. Those figures do not take into account lost productivity or reputational damage. The disparity between the overall losses likely to be suffered by businesses and the loss likely to be suffered by the insurance market perhaps shows that businesses have not full exploited the opportunity to transfer the risk of cyber losses to the insurance market. Clearly many businesses will either have not taken up cyber cover, or do not have sufficient cover. Time will tell whether the CrowdStrike incident acts as a catalyst for more businesses to explore the option of taking out cyber cover.

A risk and an opportunity

Insurers will now be looking at this incident very carefully. On the one hand, it highlights the need for businesses to better engage with cyber insurance as an opportunity to protect the risk posed to their balance sheet by a major incident.

On the other hand, the outage serves as a stark reminder to cyber insurers (if one were ever needed!) of the potentially catastrophic impact of a single failure in global cyber infrastructure. It is also worth noting that this is not the first significant supply chain outage this year, with previous outages being suffered by Change Healthcare and CDK. Insurers will no doubt be mindful of the systemic exposures presented by such incidents, and will want to very carefully review their coverages and their underwriting criteria.