Parametrix estimates CrowdStrike insured losses at between $540m and $1.08bn

Parametrix, a specialist in parametric cloud downtime cyber insurance and reinsurance protection, has issued an estimate for the insurance industry loss caused by the CrowdStrike linked global IT outage, saying it anticipates insured losses falling in a range of $540 million to $1.08 billion.

Parametrix estimates that the total direct financial loss facing US Fortune 500 companies (excluding Microsoft) from the CrowdStrike outage on July 19th is $5.4 billion.

Given the portion of that loss covered under cyber insurance policies is only expected to be in the range of 10% to 20%, Parametrix said that the weighted average loss is $44 million per Fortune 500 company, but ranges from $6 million (manufacturing companies) to $143 million (airlines).

Large risk retentions and low policy limits mean only a small portion of the financial impacts of CrowdStrike event will be covered by insurance.

At an industry loss below $1.08 billion, this would not be expected to trouble any of the cyber catastrophe bonds currently in the market.

But it is likely to trigger some cyber reinsurance capacity, which may serve to harden that market a little further, while also increasing demand for coverage as well.

The low level of financial losses that are expected to be covered demonstrates the need for continued growth of cyber insurance and reinsurance capital, to support narrowing of this protection gap.

It is worth noting that Parametrix’s estimate appears based on insurance losses under cyber policies, when the CrowdStrike event also has the potential to have insurance market ramifications under other sources of business interruption and contingent business interruption coverage, as well as potentially some operational risk, liability and even E&O covers as well.

It’s also only looking at the Fortune 500 and in this case the ramifications for small to medium sized businesses is as significant and claims will flow to insurers from smaller enterprises as well.

So, the ultimate cost to the insurance and reinsurance industry may be higher.

Parametrix expects that the largest direct financial loss will be suffered by Fortune 500 companies in the healthcare sector ($1.938 billion), followed by banking ($1.149 billion) while the six Fortune 500 airlines are expected to face approximately $860 million in losses.

“Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries,” explained Jonathan Hatzor, co-founder and CEO of Parametrix. “It tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimize the potential impacts of systemic cyber risk. However, our analysis does not show the whole diversification picture. A cyber insurer focused on very large companies will certainly suffer a much greater CrowdStrike loss relative to premium than one with a large SME book.

“Prevention is important, but risk carriers have limited control over event occurrences and service-provider practices. The industry should focus on controllable areas, like mapping and managing aggregation risk. By understanding these points, we can evaluate key exposures, and mitigate both malicious and non-malicious threats. This proactive approach enables better underwriting decisions, and effective risk-transfer solutions to manage systemic risk.”

Also read:

– Beazley CrowdStrike losses expected well-below cat bond attachment: Berenberg.

– Beazley says no change to combined ratio guidance after CrowdStrike.

– CrowdStrike tests cyber cat bonds & reinsurance, demonstrates importance: Aon’s Egan.

– CrowdStrike outage: Cyber cat bond prices stable, uncertainty palpable.