PCS designates CrowdStrike as a cyber catastrophe loss event
Property Claim Services (PCS), the unit of Verisk that is a provider of industry loss estimates and loss data globally, has designated the recent CrowdStrike linked global IT outage as a PCS Cyber Catastrophe Loss Event, meaning industry insured losses are expected to reach above US $250 million, Artemis has learned.
Through the PCS Global Cyber product, the company monitors global cyber attacks and potential cyber insurance market loss events.
It provides reporting on event losses when they surpass $25 million, but then designates them as cyber catastrophes when their insurance industry losses are understood as going to surpass $250 million.
As a result, given the threshold of $250 million, it’s no surprise CrowdStrike is expected to drive more in insurance market losses and so deserves reporting as a cyber cat event.
The PCS Global Cyber service provides industry loss estimates for risk losses caused by cyber, through affirmative cover in a standalone cyber program or as part of a blended program that explicitly includes cyber, as well as for non-affirmative or so-called silent cyber losses, such as to property lines or D&O.
For an event to be classed as a cyber catastrophe, it must also affect multiple insureds and multiple insurers, and PCS will report both the affirmative and non-affirmative loss totals individually, alongside an insurance market-wide loss figure.
Now, the CrowdStrike event has been designated as a cyber catastrophe loss event by PCS, so is set for this enhanced reporting.
It is expected to drive both affirmative and non-affirmative cyber claims, across a range of perils including: IT related configuration or implementation errors; IT processing errors; network or website disruption; and system or network security violation or disruption.
It’s early at this stage for any kind of industry loss estimate to be reported under the PCS methodology, as it will now collect data from insurers to derive an industry total.
This is now the third cyber catastrophe event to be designated by PCS since the 144A catastrophe bond market opened up to its first cyber catastrophe bond issuances.
Previously, PCS designated both the MOVEit cyber attack and the Change Healthcare cyber attack as PCS Cyber Catastrophe Loss Events, so activating its loss aggregation and estimation procedures for a cyber cat insurance market loss.
Now, the same process is activated for the CrowdStrike event, which has the potential to be the largest cyber insurance loss of the three, we believe.
However, it remains the case at this time that, we do not expect any of these cyber catastrophe events will aggregate to the level of losses that might be required to trigger a cyber cat bond, given these first cyber ILS deals tend to cover relatively high layers of reinsurance and retrocession.
For CrowdStrike, recall that, Parametrix, a specialist in parametric cloud downtime cyber insurance and reinsurance protection, released an insurance industry loss range of $540 million to $1.08 billion for the event.
Then CyberCube, a specialist modelling firm for cyber risks and exposures, estimated that insurance industry losses from the CrowdStrike linked global IT outage for the standalone cyber insurance market would be between $400 million and $1.5 billion.
Lastly, specialist insurer Coalition said its modelling suggests a lower bound of $270 million or even lower, while the upper-bound is $960 million, for US cyber insurance losses from the CrowdStrike event.
An industry loss of below $1.08 billion would not be anticipated to impact any of the cyber catastrophe bonds currently in-force, and we expect that to also be the case for an industry insured loss of below $1.5 billion.
