The 19 July cyber security software incident at CrowdStrike is unlikely to have a material impact on global (re)insurer financial results, Fitch Ratings says.
Preliminary market estimates of global insured losses that range in the mid- to high single-digit billion-dollar would not translate into a material impact for (re)insurers, but they are subject to ongoing claims and litigation.
The insurance lines most affected will be business interruption, contingent business interruption, and cyber. Several smaller lines such as travel insurance, event cancellation, and technology errors and omissions will also be affected. Policy terms and conditions vary considerably across regions, sectors, and lines of business.
Several mechanisms will limit insured losses, including lack of insurance coverage, high deductibles, sublimits, and time element periods for business interruption claims. Most business interruption claims from cyber events have time element periods that range from eight to 12 hours. We expect claims will be mostly within the retentions of primary insurers.
Industries such as hospitals and airlines will be more affected, as they require 24/7 availability and often lack robust redundancies. APAC and EMEA regions had more of their work day affected by the outage, unlike the Americas, which had a solution to the outage, although it requires physical access to machines and in some instances access to a recovery key.
The incident highlights a growing risk of single points of failure (SPoF). SPoF are critical bottlenecks in the delivery of systems that, if impacted, will have an outsized effect on the system. SPoF risk has been modelled for cloud outages and popular software such as operating systems. However, it has not been well-modelled or understood for industry-specific software such as CrowdStrike or more recently ChangeHealth.
Cyber risk remains difficult for insurers to assess due to the dynamic root causes of claims. Challenges include a lack of effective, widely accepted modelling tools and a limited data set of historical claims, where past events are not necessarily indicative of future risks. Early ILS deals within the spectrum of cyber-risk transfer will comprise cyber risks that are easier to model and quantify and will be of modest size.
Aon discusses (re)insurance implications of CrowdStrike outage
According to Aon, the key implications for cyber re/insurance include:
• This is reported to be a non-malicious event, meaning that “system failure” coverage, where offered, within cyber re/insurance policies is the relevant loss trigger
• Business interruption (loss of income and extra expenses incurred), where offered due to system failure, is expected to be the most directly affected head of damage, subject to applicable waiting periods
• Dependent business interruption, data restoration, incident response and voluntary shutdown costs may also be applicable and contribute to re/insured losses
• At the individual risk level, Aon expects this event to trigger greater attention to system failure coverage grants and business interruption waiting periods
• At the portfolio level, Aon sees this event as an opportunity for the market to react by improving granularity on codifying policy information important for understanding portfolio accumulation risks stemming from certain coverage grants, to allow more nuanced event loss estimation and accumulation scenario analysis.
• The industry has developed specific re/insurance and bond products which this event will test, both from an event definition and loss quantum perspective. Insurance coverage focus.