CrowdStrike throws cyber market softening into doubt
Terms and conditions most likely to be impacted
Experts are divided over whether losses from the CrowdStrike outage will have a real impact on cyber insurance pricing and potentially reverse the recent softening, but there is more consensus that the event will impact term and conditions.
The incident is likely to have the biggest impact, both in terms of higher premium and tighter wordings, on cyber policies that cover business interruption and third-party liabilities, the experts told Commercial Risk Europe.
Firms that rely heavily on third-party cybersecurity providers are most likely to feel the pinch. And many we spoke to stress that if current loss estimates from CrowdStrike rise, which doesn’t seem out of the question, the outage could have a bigger impact on the cyber market than some currently predict.
The systems failure at cyber security firm CrowdStrike is thought to be the largest IT outage ever. Problems began on 18 July when a software update from the cyber security vendor went wrong affecting millions of computers, platforms and networks running on Windows systems. According to Erica Davis, global co-head of cyber at Guy Carpenter, the incident had the “potential to be a catastrophe”.
However, its impact on business and insurers was held in check by the bug’s quick fix, which gave many organisations the opportunity to mitigate problems before the waiting period for cyber business interruption claims, which are typically four to 12 hours.
It seems that less than 1% of global companies with cyber cover were affected, according to Guy Carp. The reinsurance broker estimates that the CrowdStrike outage will cost insurers between $300m and $1bn, making it a “sizeable but manageable” loss for most carriers.
“Guy Carpenter’s findings align with the conclusion that this event would not result in a material loss for most insurers, although this could change based on the wordings adopted by carriers, concentration of underwriting within affected industry sectors, and uptake of system failure coverage,” it said.
The loss estimate equates somewhere between 2% and 6% of Guy Carp’s estimated $15.8bn of annual gross cyber premium. Its figures for CrowdStrike compare with an estimate of between $400m and $1.5bn from CyberCube.
So with big, but not catastrophic cyber losses, on the cards, one key question is whether the event will have any impact on the cyber insurance market that has only just moved in buyers’ favour after a prolonged period of severe hardening. Opinion is divided.
London market and global broker Miller told Commercial Risk that although the cyber market has been experiencing a softening trend with increased capacity and competition, this incident “may temporarily reverse that direction”.
“In our view, the CrowdStrike outage is likely to lead to both an increase in cyber insurance premiums and more stringent terms and conditions, as insurers adjust to the increased perception of risk in the wake of this significant event,” said Debbie Hobbs, head of cyber, tech and media at the broker.
“The widespread disruption caused by the outage has highlighted the potential for large-scale systemic risks, prompting insurers to reassess their exposures. This reassessment could lead to an increase in premiums, particularly for policies that cover business interruption and third-party liabilities,” she added.
Hobbs said this view is supported by a “spike” in requests for long-term agreements – which lock in coverage terms, conditions, and rates for an extended period – from cyber insurance buyers since the incident.
Miller also believes that the financial losses and perceived threat associated with the CrowdStrike outage could affect reinsurance negotiations, leading to higher reinsurance rates or more restrictive terms. All of this would impact the way the primary market thinks about writing cyber, noted Hobbs.
And she feels the impact will also be felt through more restricted cyber coverage. “The incident has exposed critical vulnerabilities in even the most reputable cybersecurity firms, which may lead to more stringent policy terms and conditions in the future. This could include more rigorous requirements for policyholders to demonstrate their cybersecurity measures, as well as the introduction of new exclusions or limitations in coverage. For example, insurers might introduce exclusions related to third-party service failures or reduce the scope of coverage for systemic events,” she said.
From the insurer’s side, Zurich expects the incident to have a “stabilising effect” on pricing in the cyber insurance market and stressed that its full impact remains “uncertain”.
“Furthermore, the event has highlighted the need for insurers to better understand and expand their assessment of possible single points of failure, which may influence policy terms and conditions going forward,” said Sierra Signorelli, CEO of commercial insurance at the carrier.
Signorelli added that the CrowdStrike incident serves as a wake-up call for both cyber insurers and their customers, and stressed that the consequences would have been far more severe if it had been a malicious attack that wasn’t as easy to fix.
Rating agencies are less sure whether the CrowdStrike event will have much impact on cyber insurance pricing. But again there is more agreement when it comes to terms and conditions.
“Overall, this will have minimal impact on pricing because losses failed to materialise to a level beyond what pricing had anticipated,” Gerald Glombicki, who is a senior director in the insurance team at Fitch Ratings, told Commercial Risk.
“But terms and conditions will likely be more impacted, specifically people will look at the ‘hours clause’. This is how quickly business interruption kicks in as a benefit. The industry standard is eight to 12 hours but this varies significantly across competitors. There is still significant variability in terms and conditions in the cyber market and this event will not move the industry to standardisation,” he added.
Manuel Adam, insurance analyst for S&P Global Ratings, said the direct financial impact of the CrowdStrike outage is manageable for the insurance industry, with losses primarily driven by business interruption claims. He too noted that things would likely have been “far worse” if the incident had been malicious.
But given current loss estimates, Adam believes that the CrowdStrike outage in isolation is unlikely to have a “material impact on current pricing in the cyber insurance market”.
“However, if additional security breaches or data losses affecting policyholders are discovered, there could be a larger-than-anticipated spike in claims. This might prompt insurers to reconsider coverage limits or exclusions related to outages of critical cybersecurity services,” he said.
And Adam said he feels that even with current loss estimates, insurers are more likely to re-evaluate the risks for companies that rely most heavily on third-party cybersecurity providers such as CrowdStrike.
“If an outage is perceived as a vulnerability, insurers could adjust premiums or policy terms for businesses dependent on these services,” said Adam. “They may also examine the resilience and contingency plans of these providers more thoroughly, which could lead to stricter policy requirements.”
Adam also predicts that the incident may well encourage businesses to diversify their cybersecurity strategies by relying on multiple providers instead of just one. This diversification could affect how insurers evaluate risk and design their policies, he said.
“Additionally, insurers might develop new products specifically designed to cover risks associated with third-party service outages as insurers and enterprises may now have an increased focus on third-party/supply chain risk,” said the ratings analysts.
Michael Lagomarsino, senior director at AM Best, sums up why there are differences of opinion about the likely impact of the outage on the primary cyber market.
“On the one hand, we would expect that the quarter-over-quarter deceleration in [cyber] rate increases observed throughout 2023 and at the start of 2024, and more recently turning modestly negative, would change course following the CrowdStrike outage, particularly given recent large data breaches and the continuation of an increase in the frequency of ransomware attacks,” he said.
“However, initial estimates of insured losses of $500m to $1.5bn from the CrowdStrike outage appear to be manageable for the affirmative cyber writers, and especially as they are coming off strong operating results in recent years. Actions taken around tightening policy language and terms and conditions, as well as an overall improvement in the cybersecurity hygiene of insureds over time, place the industry in a solid position to absorb any negative impacts,” he continued.
“As a result, there may not be a material change in terms and conditions or shift in the competitive environment. Still, it is early days post-outage and we will watch for more information as it becomes available,” he added.
Other experts are urging cyber insurance buyers to review their policies, particularly for business interruption exposures, to ensure they are adequately covered for events such as the recent CrowdStrike outage. They agree that claims are likely to be complicated and the ultimate loss figure far from certain.
Allen Blount, US national cyber practice leader at broker Risk Strategies, told our sister publication Business Insurance that, while cyber policies often contain coverage for non-malicious acts and such coverage is widely available, policyholders should be sure about contract language and limits.
“It is sometimes a coverage that’s overlooked,” Blount said. In addition to ensuring that non-malicious acts are explicitly covered, policyholders should check that their full limit applies because some insurers may sublimit such coverage, he said.
Meredith Schnur, US and Canada cyber practice leader at Marsh, said that because there is such variation among forms in the commercial cyber insurance market, policyholders may be faced with differing accounting methods for losses under business interruption coverage.
“You can pick up five different policies and read the business interruption or contingent business interruption coverage in all of them, and they will all look different,” Schnur said. Policyholders must “understand the extent of that coverage and how it varies”.
Rory Egan, London-based head of cyber analytics for Aon’s reinsurance solutions division, said we are starting to obtain a picture of the event’s footprint but stressed that working out the final “quantum of loss” will take a lot longer.
One factor influencing the size of the total insured loss among companies that bought systems failure coverage is applicable waiting periods. “Can they start counting from the fourth hour of disruption or the 12th hour or the 24th hour? That’s going to be a determinant on where we end up in terms of lost quantum at a market level,” Egan said.
Some policyholders were likely up and running again before they exceeded the time retentions in their policies, said Brian Gillin, managing director for the US East region at Aon.
He added that coverage for non-malicious acts is “generally included” in most larger, more sophisticated commercial cyber insurance programmes but is not universal.
“And as more and more data comes out about how sizable some of the losses were for particular companies, it’s going to cause others to re-evaluate what they are currently buying and potentially buy more,” Gillin predicted.