Why CrowdStrike insured losses weren’t as big as expected

Interrupt request level classic blue screen of death error. Error device, software and hardware problem. Vector illustration

Global insured losses for the CrowdStrike software update error could be in the range of US$300 million to US$1 billion, global brokerage Guy Carpenter estimates.

But many factors limited the scope of the damage, industry sources say.

CrowdStrike released a software update early in the morning on July 19 to its endpoint detection and response (EDR) tool, dubbed “Falcon,” which sits on Microsoft Windows devices. “Unfortunately, this update contained a software coding flaw that caused Microsoft devices to crash, leading to the infamous ‘blue screen of death,’” as the Guy Carpenter report describes the incident. “CrowdStrike promptly reverted the update and introduced a fix, but the impact was significant.”

CrowdStrike has a total of nearly 24,000 organization customers worldwide, including nearly 60% of the Fortune 500 companies.

Globally, the Microsoft crashes caused 7,000 flights cancellations or delays over several days. In Canada, airports and airlines reported disruptions, and the effects were felt in the banking and health care industries as well.

Since the source of the coding error was not malicious, the impact of the loss on insurers’ bottom lines is expected to be limited, Guy Carpenter says.

“Had the event been malicious, the impact would be far greater,” says the Guy Carpenter report, A Closer Look: Unveiling the Global Impact of CrowdStrike Event. “Guy Carpenter estimates that a ransomware attack that directly impacts a widely used operating system could have a total impact between $600 million and $2 billion in insurable loss.”

Guy Carpenter listed two factors reducing the scope of the CrowdStrike damage.

First, “in this instance, the vendor had high-level privileges to communicate directly with sensors linked to the operating system software,” the report notes. “Importantly, most vendors do not have this level of access and, therefore, cannot directly impact the operating environment.”

See also  Arbitrator Factual Error Must Stand

Second, vendor-initiated system failures are offset by the value the updates provide for end-to-end data encryption security. Essentially, in the software update error scenario, the damage caused by a quickly fixed flaw is limited compared to a malware attack designed to defeat security.

Also, terms and conditions in cyber policies limit insurers’ exposure to these kinds of incidents.

In Canada, investment analysts asked Intact Financial Corporation (IFC) executives about CrowdStrike during a 2024 Q2 earnings call Wednesday.

IFC executive vice president and chief operating officer Patrick Barbeau confirmed the company has received “a few claims” related to the event, but the losses are not anticipated to be “significant.”

“First of all, on the commercial base product, business interruption, this kind of system outage is not covered,” Barbeau replied. “It’s similar to the COVID business interruption: It requires physical damage to trigger business interruptions. During this [outage], it is not the case.

“There is some coverage on some of our cyber insurance policy for this. But for a large majority of these products, there is a waiting time period, financial deductibles, and then for excess policies fairly high attachment point. So we don’t expect any significant costs from this event.”

A restoration period, or “waiting period,” describes a timeframe beginning when the loss occurs and ending when normal business operations are restored. In business interruption policies, this period, as defined in the policy, qualifies for insurance reimbursement for lost income and operating expenses.

Typically, BI or cyber policies cover for losses occurring within a 24-hour to 72-hour waiting period. Some policies may even cover from eight hours to 72 hours.

See also  What the latest inflation measures mean for insurers

In an interview with Zywave’s Front Page News, David Anderson, vice president of Woodruff Sawyer’s cyber practice, says waiting periods will likely limit the scope of the loss in the CrowdStrike event. He noted CrowdStrike issued a solution quickly, meaning many businesses would have been back online before any policy waiting periods were triggered.

“I think the universe of loss is smaller than we think,” Anderson told FPN. “The fix was out, and the fix was pretty doable.”

 

Feature image courtesy of iStock.com/Svitlana Hruts