CrowdStrike outage to drive cyber insurance adoption  – Moody’s

Outage also highlights standardisation issues

Business interruption (BI) rather than property damage will be the main driver of cyber insurance claims resulting from the recent CrowdStrike outage, according to Moody’s Ratings.

And while the outage will ultimately drive adoption of cyber insurance, it has also highlighted the difficulty in assessing total losses from such incidents as well as the various factors that will limit the size and number of claims.

A report from the ratings agency into the downstream impact from the systems failure that disrupted thousands of companies, public services and government agencies, concluded that business interruption (BI) rather than property damage will be the main driver of cyber insurance claims.

However, the lack of standardisation in the wording of cyber insurance policies means that it will take time to determine which customers have suffered losses and whether those losses were covered.

Early estimates of the losses vary. Insurance services firm Parametrix forecast $5.4bn in economic losses from the event, with insured losses likely to be no more than 10%-20% of economic losses ($540 million to $1.08 billion).

Meanwhile cyber insurer CyberCube estimated insured losses would be between $400m and $1.5bn for the standalone cyber insurance market.

In addition to a lack of standardised wording, many cyber insurance policies have a minimum waiting time before a BI claim can be triggered. This is generally between 8 and 12 hours but can vary between policies.

The timing of the outage will also be a factor. The botched update that caused the outage was pushed to computers approximately between 4.00 and 5.30 UTC so affected systems in Asia Pacific more than the EU and the US.

However, the adoption of cyber insurance is stronger in those markets less affected. According to Moody’s report, the botched update that triggered the outage was pushed to computers on 19 July at 04:09 UTC and only affected computers that were online between then and 05:27 UTC, about 80 minutes later.

As a result, systems in Asia-Pacific were most affected, compared to the EU and North America. At that time, more Asia-Pacific systems were online than European and US systems, but Europe and the US have a greater share of cyber insurance coverage than does the Asia-Pacific region.

Cyber policies also come with self-insured retentions that require a breach to reach a certain level before a claim can be filed. And the fact that the outage was caused by a system failure rather than a malicious act may also affect claims.

“We expect underwriters will evaluate the scope and nature of the event and adjust their underwriting, focusing on systems failure coverage,” stated the report.

“Although insurers have improved their ability to analyse potential insured losses related to individual data breaches, ransomware losses, and business interruption, it remains challenging to analyse widespread outages.

“Cyber modelling has advanced, but the risks are constantly evolving, which creates uncertainty around return periods and the likelihood of an event,” continued the report. “The CrowdStrike outage will prompt further scrutiny of risk aggregations and modelling practices and spur demand for cyber insurance.”

Back to top button