Risk managers have much to learn from CrowdStrike outage
Marsh says there are plenty of lessons to be learnt from the systems failure at cybersecurity company CrowdStrike, which is thought to be the largest IT outage ever.
“The biggest lesson is that there is no way to truly prevent tech outages,” said Tom Reagan, global cyber practice leader at the broker. “So how do you live with them, manage them and mitigate them?”
Marsh is one of a number of companies that have used the CrowdStrike incident to warn risk managers of the importance of incident management, risk capital, cybersecurity and other risk practices.
The outage began on 18 July when a software update from the cybersecurity vendor went wrong, affecting millions of computers, platforms and networks running on Windows systems. According to Erica Davis, global co-head of cyber at Guy Carpenter, the incident had the “potential to be the catastrophe that companies had prepared for but not yet experienced”.
However, in reality, less than 1% of global companies were affected and Guy Carpenter expects the insured losses to be in the region of $400m to $1.5bn. The losses look to be “sizeable but manageable”, said Davis.
In the first two to three weeks following the attack, Marsh saw more than 500 clients affected and around 375 claims notifications, said Gill Collins, head of cyber incident management and cyber advisory, Marsh Pacific.
Collins sees three key lessons for risk managers to learn from the whole experience. Firstly, regularly test your cyber response and business interruption plans. Secondly, ensure you have back-up networks if your communications go down. And lastly, third-party supply chain risk is important and must be included in your business interruption plan.
“Companies need to respond better to attacks,” said Collins. “Significant disruption can come from a variety of sources and there is a need for better organisational preparedness.”
She said there was variation in the quality of response among corporates. “Those that did well had a sophistication of thinking and the rigour of testing and implementation of the learnings. Many organisations look at their response plan once a year. They need to do this more regularly, three to four times a year, and using a variety of scenarios,” she said.
The CrowdStrike outage also revealed the interdependencies that so many companies have in their digital infrastructure and raised questions about how this should be addressed. More thought has to go into the management of third-party vendors.
In most instances, the risk programmes at third-party vendors are run by procurement teams, said Kris Lovejoy, global practice leader, security and resiliency, for US-based IT infrastructure services provider Kyndryl.
What these teams will typically do is rank their third-party vendors and in order of importance. “It might be a small organisation but it might be very important in terms of potential disruption to your business,” said Lovejoy.
“The obligations you will put on these companies will be different based on their importance. If it isn’t working, you need a new approach. You can’t treat all partners the same.”
Lovejoy also talked about the need to “rethink how we manage risk for digitally enabled businesses and stop separating organisations based on their job roles”.
One new job role that is becoming more frequent is the chief resilience officer, especially in Europe, where companies face the imminent introduction of the Digital and Operational Resilience Act (DORA).
And a big part of that role is to work out what the company’s risk tolerance is, said Lovejoy. “A lot of businesses can’t decide what they can live without… You have to work out what’s most likely to break or go down and how long will it be down and how much will it cost me. You need to have that discussion and then test that process.”
“It is like living in a world of bacteria,” said Lovejoy. “You could sterilise yourself and never go out. But it is not realistic. Can you operate within certain levels? What notable incident would affect your bottom and top line? And if you’re not experiencing cyberattacks, you’re probably blind to them.”