Will CrowdStrike event trigger a cyber hard market?

July’s CrowdStrike flawed software update that affected an estimated 8.5 million Windows devices shouldn’t trigger the next cyber hard market or lead to significant rate increases, a cybersecurity expert said during a recent webinar.

“I don’t think this one’s going to accelerate a hard market,” said James Burns, head of cyber strategy at CFC. “It might dampen some of the rate softening that we’ve seen, but I don’t think it’s had enough of an impact to take us back the other way when it comes to rate.”

Burns made his comments during a CFC webinar last month titled Cyber expert panel: Anatomy of a global IT outage. He was referencing the incident on July 19 in which endpoint security company CrowdStrike released an update to its Falcon sensor. That update caused a critical error for any organization that had the Falcon sensor installed within a Windows machine, resulting in the infamous ‘blue screen of death.’

Reinsurance brokerage Guy Carpenter originally estimated global insured losses for the CrowdStrike event could be in the range of US$300 million to US$1 billion.

But several factors limited the scope of the damage, Guy Carpenter said, including that the event was not malicious and that terms and conditions in cyber policies limit insurers’ exposure to these kinds of incidents.

During CFC’s webinar, Burns pointed to other factors that further mitigated the event. One was that the affected product was predominantly used by large corporate customers, rather than small- and medium-sized enterprises. Secondly, the outage was triggered during the day in Australia, which mitigated the impacts on European and U.S. businesses.

‘Clear route to recovery’

“Most cyber insurance policies are sold in the U.S. and by the time that their day had started, there was a clear route to recovery…,” Burns said. “And I think this minimized the operational disruption for a lot of policyholders.

“They’re actually back up and running relatively quickly.”

And given a lot of large companies chose to buy polices with large deductibles, “many don’t seem to think that they’ll need to actually file a claim or have a loss…So from an insurance perspective, the impact hasn’t, so far I don’t think, been big enough to harden the market.”

What the CrowdStrike incident did do, Burns said, is serve as a wake-up call for how the market deals with systemic risks — essentially exposure to a single event that triggers a large number of claims and a big accumulated financial loss.

Currently, cyber insurers use a range of exclusions to try and manage systemic risks, ranging from exclusions in policies for war, cyber war, critical infrastructure failure or even mass vulnerability exploitation. But what if the market gets hit by a scenario that current exclusions don’t address, such as a major catastrophic event that isn’t an act of war or critical infrastructure failure?

“Well, that’s actually just happened because the CrowdStrike outage wouldn’t have fallen into any of those buckets,” Burns said. “What if we had that scenario times one thousand? [It would be] very, very, very unlikely, but it’d be imprudent of us not to be thinking along those lines as an industry…

“The obvious question is – is there the potential, however remote, for a massive [systemic] event to occur which could wipe out insurer balance sheets?”

Feature image: A technician works on an information display near United Airlines gates at Chicago O’Hare International Airport in Chicago, Friday, July 19, 2024, after a faulty CrowdStrike update caused a major internet outage for computers running Microsoft Windows. (AP Photo/Carolyn Kaster)