On July 18, 2024, cybersecurity company CrowdStrike released a software update for its Falcon Sensor product, which is designed to detect malicious threats at a computer system’s endpoints. The update resulted in the widespread crashing of computers using Microsoft Windows operating systems. Thus far, the update has only affected Microsoft users, and there has been no report of other operating systems being impacted. The system failure caused by the CrowdStrike update impacted a broad cross-section of industries, including airlines, banks, retailers, hospitality and more.
The event demonstrates a single point of failure for a complex, global information technology supply chain. Cyber insurers should use this event to evaluate policyholder supply chain dependencies, assess the potential for aggregation across commonly used technologies, and recalibrate risk tolerances accordingly.
Cyber Event Analysis: A Global Outage with Widespread Impact
Loss Components
Cyber insurance provides for broad coverage of business interruption resulting from network outage. The trigger for this coverage includes System Failure resulting from non-malicious acts, including human error. That coverage extends to Contingent Business Interruption (CBI) caused by an outage of a vendor on which an insured relies to operate its network.
Critical for evaluating network interruption claims will be the policy waiting period for which the network must be impaired before the policy responds. Typical cyber waiting periods vary depending on industry class and organizational size with 4–12 hours being most common.
CBI losses arising from a widely deployed technology present reinsurers with an acute risk for unexpected aggregation. Technologies with large market shares create potential single points of failure that can lead to systemic events yielding claims from a large number of insureds.
Modeling The Incident
While modeling scenarios do not account specifically for widespread outages due to software updates, there are sufficient analogous scenarios for estimating losses from the event, including business interruption and extra expense. These scenarios typically contemplate companies losing control over IT-related services, the impacts on customers and sales, and the potential for slow recovery.
While actual losses will vary from modeled instances based on the specific circumstances, such scenarios can establish a directional foothold for cedents to address systemic exposures. Guy Carpenter is currently engaged with the cyber catastrophe vendors for their analysis of this event and is conducting our own view to share with clients.
Impacts On Cyber Reinsurance
System failure losses will be in scope for traditional proportional and aggregate structures, which respond to all causes of loss. In recent renewal cycles, buying behavior selectively shifted toward targeted catastrophe covers, many of which respond to specifically defined catastrophic scenarios. Event-based products and the definitions behind them are unique to the cedent’s view of risk and how coverage was negotiated. Recoveries from event-based products will differ based on how each underlying wording differentiates coverage between malicious and non-malicious cyber incidents. As this incident progresses, Guy Carpenter will clarify its impacts on the assumptions around tail risk and the overall USD 15.5 billion global cyber industry moving forward.
Beyond Cyber Insurance
Given the magnitude and scope of this outage, we may see consequences that affect product lines beyond cyber risk, most prominently directors & officers (D&O) and property/casualty (P&C).
- D&O. We may see implications on the D&O towers for companies both involved in or impacted by today’s incident. In general, a 10% intraday stock drop for a publicly traded company may incentivize the plaintiffs’ bar to file a class action lawsuit. Subsequent share price moves and any ultimate recovery may also impact the likelihood of litigation. Historically, securities class actions arising from technology incidents have fared poorly. In addition to securities class actions, companies that are either involved in or impacted by the event may face increased exposure if they struggle to restore operations and may face shareholder derivative suits alleging the board’s breach of fiduciary duty.
- P&C. With the continued integration of information technology and operational technology, insures must also consider the physical consequences that may arise from technology failures. Potential exposure for P&C policies will depend on how insurers address cyber as a peril and whether the policy includes a “silent cyber” exclusion. Policies remaining silent on cyber risk may be exposed to ensuing bodily injury or property damage as a result of cyber-related system failure.
Guy Carpenter supports our clients through complex market developments. Our Cyber Center of Excellence analyzes reinsurance event language and stress tests its efficacy against potential cyber losses. The GC CyberExplorer® DataLake provides our clients with up-to-date intelligence for assessing the various dimensions of technology events, including software failure and network outages. Broad impact and large-scale events are part of developing a thriving insurance and reinsurance marketplace. Assessing events like today’s outage matures the view of catastrophe potential and advances structural considerations for protection.