Why CrowdStrike insured losses weren’t as big as expected

Chp August 2, 2024
Interrupt request level classic blue screen of death error. Error device, software and hardware problem. Vector illustration

Global insured losses for the CrowdStrike software update error could be in the range of US$300 million to US$1 billion, global brokerage Guy Carpenter estimates.

But many factors limited the scope of the damage, industry sources say.

CrowdStrike released a software update early in the morning on July 19 to its endpoint detection and response (EDR) tool, dubbed “Falcon,” which sits on Microsoft Windows devices. “Unfortunately, this update contained a software coding flaw that caused Microsoft devices to crash, leading to the infamous ‘blue screen of death,’” as the Guy Carpenter report describes the incident. “CrowdStrike promptly reverted the update and introduced a fix, but the impact was significant.”

CrowdStrike has a total of nearly 24,000 organization customers worldwide, including nearly 60% of the Fortune 500 companies.

Globally, the Microsoft crashes caused 7,000 flights cancellations or delays over several days. In Canada, airports and airlines reported disruptions, and the effects were felt in the banking and health care industries as well.

Since the source of the coding error was not malicious, the impact of the loss on insurers’ bottom lines is expected to be limited, Guy Carpenter says.

“Had the event been malicious, the impact would be far greater,” says the Guy Carpenter report, A Closer Look: Unveiling the Global Impact of CrowdStrike Event. “Guy Carpenter estimates that a ransomware attack that directly impacts a widely used operating system could have a total impact between $600 million and $2 billion in insurable loss.”

Guy Carpenter listed two factors reducing the scope of the CrowdStrike damage.

First, “in this instance, the vendor had high-level privileges to communicate directly with sensors linked to the operating system software,” the report notes. “Importantly, most vendors do not have this level of access and, therefore, cannot directly impact the operating environment.”

See also  Delayed Insurance Appraisals? Do Insurance Companies Have Good Faith Duties to Make Sure Their Appraisers Do Not Delay Appraisals?

Second, vendor-initiated system failures are offset by the value the updates provide for end-to-end data encryption security. Essentially, in the software update error scenario, the damage caused by a quickly fixed flaw is limited compared to a malware attack designed to defeat security.

Also, terms and conditions in cyber policies limit insurers’ exposure to these kinds of incidents.

In Canada, investment analysts asked Intact Financial Corporation (IFC) executives about CrowdStrike during a 2024 Q2 earnings call Wednesday.

IFC executive vice president and chief operating officer Patrick Barbeau confirmed the company has received “a few claims” related to the event, but the losses are not anticipated to be “significant.”

“First of all, on the commercial base product, business interruption, this kind of system outage is not covered,” Barbeau replied. “It’s similar to the COVID business interruption: It requires physical damage to trigger business interruptions. During this [outage], it is not the case.

“There is some coverage on some of our cyber insurance policy for this. But for a large majority of these products, there is a waiting time period, financial deductibles, and then for excess policies fairly high attachment point. So we don’t expect any significant costs from this event.”

A restoration period, or “waiting period,” describes a timeframe beginning when the loss occurs and ending when normal business operations are restored. In business interruption policies, this period, as defined in the policy, qualifies for insurance reimbursement for lost income and operating expenses.

Typically, BI or cyber policies cover for losses occurring within a 24-hour to 72-hour waiting period. Some policies may even cover from eight hours to 72 hours.

See also  9 thoughts about 2024 BMW i4 eDrive35

In an interview with Zywave’s Front Page News, David Anderson, vice president of Woodruff Sawyer’s cyber practice, says waiting periods will likely limit the scope of the loss in the CrowdStrike event. He noted CrowdStrike issued a solution quickly, meaning many businesses would have been back online before any policy waiting periods were triggered.

“I think the universe of loss is smaller than we think,” Anderson told FPN. “The fix was out, and the fix was pretty doable.”

 

Feature image courtesy of iStock.com/Svitlana Hruts

Related posts:

  1. How Are House Prices Rising?
  2. Haag Canada Announces New National Catastrophe and Appraisal Division
  3. Navigating Compensation in the Era of Transparency
  4. Fiat's New Grande Panda Is So Cute I Wish It Had Cheeks I Could Squeeze

More Stories

Where to Find the Best Car Insurance in Utah

Where to Find the Best Car Insurance in Utah

Chp September 19, 2024
Insurers grapple with AI ethics and regulation

Insurers grapple with AI ethics and regulation

Chp September 19, 2024
Professional liability insurance policy on a table.

Why insurers won their dispute over a $50-million excess policy

Chp September 19, 2024

You may have missed

Bank Sign

On the Hunt for HNW Clients? Look to In-House Investment Banks

Chp September 19, 2024
King Risk Partners boosts East Coast footprint via swoop

King Risk Partners boosts East Coast footprint via swoop

Chp September 19, 2024
E-scooter riders flouting rules, blocking footpaths and causing accidents? We need to use smart solutions (and bust the myths)

E-scooter riders flouting rules, blocking footpaths and causing accidents? We need to use smart solutions (and bust the myths)

Chp September 19, 2024
Brown & Brown names Mike Neal, Mark Abate to retail leadership team

Brown & Brown names Mike Neal, Mark Abate to retail leadership team

Chp September 19, 2024
CAC Specialty appoints Sonny Pittman as EVP of business development

CAC Specialty appoints Sonny Pittman as EVP of business development

Chp September 19, 2024