In the early hours of the morning of the 19th July, cyber security firm CrowdStrike released an update to its endpoint detection and response tool Falcon, containing a software coding flaw that sent Microsoft devices everywhere crashing. CrowdStrike introduced a fix, but not before the impact spread to companies around the world.

Insured losses from the outage appear thus far to be limited for property and casualty insurers, though determining final losses for the industry is likely to be a lengthy process due to the non-standard language used in cyber insurance policies.

The outage – and certainly the subsequent dreaded ‘blue screen of death’ – might have taken the public by surprise, but cyber insurance professionals less so, having long anticipated the scenario amongst numerous others modelled by insurers and reinsurers.

Estimates from Parametrix suggest the equivalent of £4.1bn in economic losses from the event, with insured losses likely to be no more than 10% to 20% of that figure, while CyberCube’s insured loss estimates stand at somewhere between £306m and £1.1bn for the standalone cyber insurance market. This means the CrowdStrike event could turn out to be the largest single insured loss event in the history of the affirmative cyber insurance market.

Most losses from the outage are expected to be business interruption, according to analysis from Moody’s. Because losses were not caused by a cyber attack, claims will be made under systems failure coverage, which is becoming standard coverage within cyber insurance policies, it says, adding that claims from the outage will be made for direct losses to the insured because of their own system failure, as well as contingent business interruption caused by an insured’s vendor being affected by the incident. In addition to that, it expects a small number of claims may emerge from technology errors and omissions policies.

Several factors are expected to limit the number and size of claims. Cyber insurance policies have minimum waiting periods, generally between eight and 12 hours, before an outage triggers BI coverage (although this time varies between companies and industries).

Cyber policies also come with self-insured retentions. Further, systems failure for non-malicious acts might not be covered by some policies, or may be subject to sublimits.

The effect of the outage was akin to that of a supply chain cyber attack, with multiple industries affected – from airlines, supermarkets and financial services, with numerous Fortune 500 companies’ IT systems disrupted – revealing the broad risks posed by a single point of failure, and the high degree of interconnectivity and dependence in today’s economy.

A snap poll of 500 risk professionals from across the UK and Europe revealed that 62% were directly or indirectly impacted by the global outage. Conducted by Aon, the survey revealed that 83% of the organisations polled had an incident response plan in place, of which 24% underperformed.

A separate poll – this time from insurer Beazley, and conducted amongst a much wider sample – suggests that nearly a quarter of global boardrooms are unprepared for cyber risks. The survey of almost 3,500 global businesses revealed that, despite the growing risk landscape, senior executives have something of a ‘blind spot’ when it comes to cyber risk, with only 23% ranking it as their top risk this year, down from 34% in 2021. Some 69% of the global firms surveyed also said they believed their existing cyber defences to be robust enough to deal with a cyber attack – a bold statement considering the impact of this recent widespread but non-malicious event.

Rather than being a market-turning event, the CrowdStrike incident has become a test of coverage and response, and acts as a reminder to businesses to review cyber security measures, plans and insurance cover in preparation for the next disruption – non-malicious or otherwise.



This article was published in the Q3 2024 issue of CIR Magazine.

View as PDF

Contact the editor