CrowdStrike is the cyber insurance market's first stress test

The recent CrowdStrike IT outage is forcing cyber insurers to look again at how they handle systemic cyber threats.

Caused by a faulty software update, the incident – now commonly known as CrowdOut – caused global disruption across businesses, hospitals and airports. It is still not known exactly what the industry impact will be, but preliminary estimates for insured losses range from $400m to upwards of $1bn.

Data from wholesale broker Amwins suggests of the sectors heavily affected by the incident – including banks, airlines, healthcare providers and telecom businesses – median rates per million in coverage now range from $3,200 to $7,300. More than half of insureds have purchased cyber limits of $1m, it adds, meaning if even a portion of CrowdOut losses are caught by cyber plans it could have a material impact on insurers’ loss ratios.

Modelling firm CyberCube has published an initial industry loss estimate of between $400m and $1.5bn, which would represent a loss ratio impact of 3% to 10% on the current global cyber premiums. If true, it has yet to feed through to insurers. Lloyd’s re/insurer Beazley, which underwrites a substantial cyber insurance book, recently confirmed it will maintain its undiscounted combined ratio guidance of “low 80s” for the 2024 fiscal year.

What CrowdOut has already done is highlight the unified nature of today’s digital economy. The incident revealed “the broad risks posed by a single source of failure” and the degree to which many segments of the economy are now interdependent, modelling firm Moody’s RMS said. When a key player such as CrowdStrike causes an outage, the ripple effects are felt across multiple industries, highlighting the systemic risks inherent in today’s interconnected world.

The insurance industry’s response has been telling. Some carriers have already introduced exclusions for CrowdStrike incident losses, reflecting a growing concern about the integrity and sustainability of the cyber and technology errors and omissions (E&O) marketplace, according to Amwins. The broker expects these developments to drive the market towards building in additional exclusions for systemic events and related losses.

Cyber managing general agent Coalition says some underwriters are also adding dependent business interruption (DBI) or contingent business interruption (CBI) sub-limits, exclusionary language for organisations that were not direct targets, or temporarily removing coverage altogether. CrowdOut is the third material cyber supply chain outage so far in 2024, it adds, albeit affecting less than 1% of Windows computers.

Determining the final losses from the CrowdStrike outage is likely to be a lengthy process, driven in part by the non-standardised language of cyber insurance policies, Moody’s RMS says.

Many of the claims are expected to be made under systems failure coverage, which has become a standard inclusion in cyber insurance policies because of the significant contribution business interruption makes to losses from cyber incidents.

The event has undoubtedly made underwriters and their insureds more aware of the co-ordinated nature of today’s computing systems. The insurance industry may witness underwriters collectively pushing for greater clarity and consistency in their approach to business interruption and system failure wordings within their policies – something that has so far eluded the industry.

There is also likely to be a concerted effort to pursue shared losses across other lines of coverage as the market seeks to determine the extent of liability, Amwins suggests.

Analysts at Jefferies suggest the event could become a positive catalyst for the wider cyber insurance market, arguing the high-profile nature of the CrowdStrike outage might support increased demand for cyber insurance and lead to positive rate changes.

After a period of rate pressure in the cyber market, such developments might be well received. The relative immaturity of cyber insurance products compared with other lines of business could mean CrowdStrike serves as a proof of concept for future policy adjustments.

Whatever the final insured losses from the incident end up being, it is clear from the early reaction of underwriters the insurance industry is treating this as a stress test for cyber policies.

How these policies will ultimately end up changing – and how resilient they end up being to a truly global scale cyber event – is yet to be determined.