Modelers predict insured losses of $400M to $1.5B for CrowdStrike outage

Preliminary estimates from cyber modeling firms put the insured losses from the July 19 CrowdStrike outage between $400 million to $1.5 billion, and direct financial losses to the Fortune 500 firms affected at $5.4 billion.

Cyber catastrophe modeling firm CyberCube predicted a range of $400 million to $1.5 billion, while cloud monitoring and modeling firm Parametrix estimated insured losses between $540 million to $1.08 billion. Cyber insurance provider Coalition estimated an industry-wide loss of $0.96 billion for the U.S. cyber insurance market “at the upper bound.”

A defective software update issued by cybersecurity firm CrowdStrike triggered the IT meltdown, knocking some 8.5 million Windows devices offline. Organizations across a range of industries, including airlines, financial services firms, hospitals, government entities, and more, faced a “blue screen of death” and business disruption as a result.

According to CyberCube, the losses could put the event as the “largest single insured loss event in the history of the affirmative cyber insurance industry” in 20 years. The magnitude of loss as currently estimated would be in the range of a 1-in-2-year to 1-in-6-year event, based on CyberCube’s modeled loss return periods, and would have a 3% to 10% loss ratio effect on the $15 billion global cyber market.

“The CrowdOut event is a major event for the cyber insurance market but does not come close to the destructive potential that leading insurers are holding capital against,” said the CyberCube team in a blog post, adding, “For example, had this event been a malicious attack that deployed ransomware bricking a large number of computer systems the losses would have been far worse.”

The event impacts are still unfolding, CyberCube noted, and ultimate losses will depend significantly on how insurers’ policies handle non-malicious system failure, contingent business interruption, and the range of insureds affected by the event.

Both CyberCube and Parametrix noted that cyber insurers with more large corporate exposures in their books of business would likely see more of an impact than those focusing on small to middle-market enterprises. However, the CrowdStrike event has also had an impact on firms that do not use CrowdStrike’s cybersecurity software but rely on third-party vendors that do.

Financial impact for F500 firms

Parametrix calculated the direct financial losses for Fortune 500 companies affected by the event to be $5.4 billion. The $540 million to $1.08 billion insured loss estimate represents 10% to 20% of the total, with large risk retentions and lower policy limits available for the system outage limiting the recovery under cyber insurance policies, according to a statement from Parametrix.

“Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries,” said Jonatan Hatzor, co-founder and CEO of Parametrix, in a statement. “It tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimize the potential impacts of systemic cyber risk.”

Parametrix’s estimates for Fortune 500 companies break down into an average $44 million in direct financial losses per company, ranging from $6 million for manufacturers to airlines at an average $143 million. Other average estimates include $113 million for software firms; $72 million for banking; $65 million for healthcare; and $17 million for finance.

The largest estimated industry sector loss is likely to be in healthcare, estimated at $1.938 billion by Parametrix followed by banking at $1.149 billion. The totals do not include Microsoft but do cover 125 impacted Fortune 500 companies.

In a blog post, Coalition CEO Joshua Motta commented that while this event and the Change Healthcare and CDK Global events of earlier this year highlight systemic risk, the 8.5 million devices impacted represent less than 1% of all computers running Windows in the world. The relatively low estimates for the event are due in part to cyber insurance limits as well as the industry’s efforts to prevent aggregated loss.

“Cyber insurance cynics also routinely (and massively) underestimate the amount of technological diversification across organizations that limit the possibility for systemic loss, as well as the ability of organizations to quickly learn, react, and even cooperate with others to dramatically reduce the severity of losses,” said Motta. “Attempts to analogize cyber catastrophes with natural catastrophes are profoundly misguided as a result.”