Guy Carpenter says CrowdStrike is a “Kitty Cat”, industry losses to be sub-$1bn

According to reinsurance broker Guy Carpenter, CrowdStrike is not a particularly significant cyber catastrophe event and only represents a “Kitty Cat”, or mid-sized catastrophe loss, while the broker estimates industry losses will be between $300 million and $1 billion.

The company urges the insurance and reinsurance industry to, “re-evaluate its perspective of risk and consider the impact of frequency losses alongside the market moving systemic risks.

“Rather than bracing for the single super cat, perhaps the market should be more concerned with the growing litter of “Kitty Cats”—mid-size events that meet the criteria for a cat loss, but at a smaller scale.”

There have now been five cyber Kitty Cats, Guy Carpenter notes, the MoveIT, Change Healthcare, CDK Global, CrowdStrike, and Snowflake cyber loss events.

Importantly, Guy Carpenter states, “While these losses have had limited impact individually, when aggregated into a single treaty period, they could generate a >10% loss ratio impact to the industry, which is more in line with the expectation for a single super cat.”

The broker further explained, “This aligns with cyber catastrophe modeling and scenario analysis, which have focused on events contributing double-digit impacts to loss ratios. As the industry grows and loss coding and reporting continues to improve, market understanding around individual loss burdens from leading events will provide more insight to help manage portfolio aggregation and cat risk. Using the experience from the property world where large individual cat events have contributed 5%-40% to the annual loss burden, the expectation that the cyber market may have to weather several such events in the course of an underwriting year becomes clear.”

Guy Carpenter’s cyber team presents its own industry loss estimate for CrowdStrike, saying it believes the impacts will fall within a range of $300 million to $1 billion.

As we previously reported, PCS has designated the recent CrowdStrike linked global IT outage as a PCS Cyber Catastrophe Loss Event, meaning industry insured losses are expected to reach above US $250 million.

Parametrix, a specialist in parametric cloud downtime cyber insurance and reinsurance protection, released an insurance industry loss range of $540 million to $1.08 billion for the event.

Then CyberCube, a specialist modelling firm for cyber risks and exposures, estimated that insurance industry losses from the CrowdStrike linked global IT outage for the standalone cyber insurance market would be between $400 million and $1.5 billion.

Lastly, specialist insurer Coalition said its modelling suggests a lower bound of $270 million or even lower, while the upper-bound is $960 million, for US cyber insurance losses from the CrowdStrike event.

Now, we have Guy Carpenter’s loss estimate which also falls into a similar range.

However, Guy Carpenter also revealed an economic loss estimate from GuideWire Cyence, of between $1 billion and $3 billion, which is also aligned.

As we’ve been reporting, an industry loss lower than $1 billion would not be a threat to any of the cyber catastrophe bonds currently in-force, and we expect that to also be the case for an industry insured loss of below $1.5 billion.

We expect the industry loss will be well into the range offered by Guy Carpenter, although unlikely to reach the top.