Guy Carpenter says CrowdStrike is a “Kitty Cat”, industry losses to be sub-$1bn

crowdstrike-cyber-kitty-cat-catastrophe

According to reinsurance broker Guy Carpenter, CrowdStrike is not a particularly significant cyber catastrophe event and only represents a “Kitty Cat”, or mid-sized catastrophe loss, while the broker estimates industry losses will be between $300 million and $1 billion.

The company urges the insurance and reinsurance industry to, “re-evaluate its perspective of risk and consider the impact of frequency losses alongside the market moving systemic risks.

“Rather than bracing for the single super cat, perhaps the market should be more concerned with the growing litter of “Kitty Cats”—mid-size events that meet the criteria for a cat loss, but at a smaller scale.”

There have now been five cyber Kitty Cats, Guy Carpenter notes, the MoveIT, Change Healthcare, CDK Global, CrowdStrike, and Snowflake cyber loss events.

Importantly, Guy Carpenter states, “While these losses have had limited impact individually, when aggregated into a single treaty period, they could generate a >10% loss ratio impact to the industry, which is more in line with the expectation for a single super cat.”

The broker further explained, “This aligns with cyber catastrophe modeling and scenario analysis, which have focused on events contributing double-digit impacts to loss ratios. As the industry grows and loss coding and reporting continues to improve, market understanding around individual loss burdens from leading events will provide more insight to help manage portfolio aggregation and cat risk. Using the experience from the property world where large individual cat events have contributed 5%-40% to the annual loss burden, the expectation that the cyber market may have to weather several such events in the course of an underwriting year becomes clear.”

See also  CNA Financial Corporation names next CEO

Guy Carpenter’s cyber team presents its own industry loss estimate for CrowdStrike, saying it believes the impacts will fall within a range of $300 million to $1 billion.

As we previously reported, PCS has designated the recent CrowdStrike linked global IT outage as a PCS Cyber Catastrophe Loss Event, meaning industry insured losses are expected to reach above US $250 million.

Parametrix, a specialist in parametric cloud downtime cyber insurance and reinsurance protection, released an insurance industry loss range of $540 million to $1.08 billion for the event.

Then CyberCube, a specialist modelling firm for cyber risks and exposures, estimated that insurance industry losses from the CrowdStrike linked global IT outage for the standalone cyber insurance market would be between $400 million and $1.5 billion.

Lastly, specialist insurer Coalition said its modelling suggests a lower bound of $270 million or even lower, while the upper-bound is $960 million, for US cyber insurance losses from the CrowdStrike event.

Now, we have Guy Carpenter’s loss estimate which also falls into a similar range.

However, Guy Carpenter also revealed an economic loss estimate from GuideWire Cyence, of between $1 billion and $3 billion, which is also aligned.

As we’ve been reporting, an industry loss lower than $1 billion would not be a threat to any of the cyber catastrophe bonds currently in-force, and we expect that to also be the case for an industry insured loss of below $1.5 billion.

We expect the industry loss will be well into the range offered by Guy Carpenter, although unlikely to reach the top.

See also  "The advisers now are in a really good space"

Artemis has learned that CrowdStrike has around $100 million of cyber insurance protection, but given litigation is likely against it, the firm is rumoured by sources to have anywhere from $200 million to $300 million of technology and liability errors and omissions coverage, all of which may be considered on-risk at this time.

With CrowdStrike, it may be interesting to note, that a good deal of the overall industry loss may come from outside of the cyber insurance space, thanks to any E&O claims against CrowdStrike itself.

Guy Carpenter also noted that with less that 1% of companies with cyber insurance around the globe said to be impacted by CrowdStrike and the outage it caused being a relatively quick fix, so reducing business interruption claims by allowing it to be remediated against before waiting periods expired for many, the broker says its findings align with a conclusion that”this event would not result in a material loss for most insurers.”

But also provides a cautionary note by saying that, “although this could change based on the wordings adopted by carriers, concentration of underwriting within affected industry sectors, and uptake of System Failure coverage.”

Also read:

– CrowdStrike event can build more confidence in cyber cat bonds: Hatzor, Parametrix.

– Beazley CrowdStrike losses expected well-below cat bond attachment: Berenberg.

– CrowdStrike tests cyber cat bonds & reinsurance, demonstrates importance: Aon’s Egan.

– CrowdStrike outage: Cyber cat bond prices stable, uncertainty palpable.

Print Friendly, PDF & Email