CrowdStrike: Why did insurers get off quite lightly?

Author: Daniel Wood

Original article here.

 

Following the CrowdStrike security update disaster, many thousands of claims on cyber policies, business interruption (BI), travel and event cancellation coverages are still being tallied. The largest IT outage in history cost an estimated US$5.4 billion in damages.

However, reports suggest insurance firms are probably off the hook.

Estimates of insured losses range between US$300 million and US$1 billion. Global reinsurance broker Guy Carpenter has reported that less than 1% of companies with cyber insurance globally were affected.

One reason: compared to a cyberattack, this outage’s non-malicious nature limited overall impact.

Also important for insurers, according to experts, the speedy deployment of a fix. This allowed many organizations to deal with the issue before the typical four-to 12-hour waiting period for BI claims expired.

What are the lessons for insurers?

However, one striking feature remains: the outage appeared to blindside many cyber and IT security experts. What lessons should the insurance industry take home from this event?

Global brokerages, including Aon, released briefing reports. Insurance Business reached out to these firms and other industry leaders for views.

London-based Rory Egan (main picture, above), is head of cyber analytics for Aon’s Reinsurance Solutions. He described the disruption as “the most important widespread event for the cyber insurance market, since NotPetya in 2017.”

NotPetya was a ransomware attack, originating in Ukraine, that impacted dozens of countries and, according to some estimates, caused more than US$4 billion in damage costs.

However, he offered an arguably reassuring estimate of losses from the CrowdStrike event.

“At this stage the loss potential might be between 5% and 15% of total annual cyber premiums,” said Egan. “That is interesting as it roughly aligns with the annual ‘catastrophe load’ set aside by cyber insurers to cover widespread cyber and IT events, so called ‘Cyber CATs’.”

Rapid response and timing

He attributed the relatively low losses to the rapid response from both CrowdStrike and IT teams around the world.

“The timing of the event was also a factor as the impact was felt more acutely in time zones such as Australia who were not sleeping through the initial outage caused by the defective update,” said Egan.

In Australia, Matthew Koce is CEO of Members Health Fund Alliance, the peak body for the country’s private health insurers.

“Of immediate concern was consumers and making sure private health insurance claims could still be processed,” said Melbourne-based Koce.

He said health insurers were able to contain any impacts within hours and without causing significant disruptions to customers – despite the attack happening during a working day.

“By Friday evening everything was pretty much resolved,” said Koce. “We are certainly not hearing any complaints from consumers.”

Did government regulations help?

One reason Australian insurers avoided significant losses, he suggested, was local government regulations.

“Being an APRA [Australian Prudential Regulation Authority] regulated industry, all health insurance funds have detailed risk strategies in place and there is a lot of scrutiny around IT that even extends to independent audits and assessments,” said Koce. “The risk of a cyber breach or an IT shutdown is one of the things that keeps most health funds and regulators awake at night.”

Egan said the event underlines how cyber and IT risks come in many forms, including malicious attacks and IT outages – and can even originate from leading cyber security companies.

“‘It can happen to anyone’, and the widespread impact highlights the interdependent nature of software ecosystems,” he said.

No tech is 100% guaranteed

Koce said the CrowdStrike incident is a reminder that however large or sophisticated a third-party provider is, the smooth operation of technology cannot be taken for granted and 100% guaranteed.

“Organizations need to have robust risk management processes and practices in place that prepares them for worst case scenarios,” he said.

Koce said key lessons for all businesses include the importance of back-up redundancy systems and processes and also transparent communication with stakeholders during a crisis.

“To its credit, CrowdStrike did keep the lines of communication open throughout the incident and worked quickly and professionally to resolve the issue,” he said.

Are some cyber policies too limited?

In a blog, Joshua Motta, CEO of Coalition Insurance Solutions (Coalition), a global cyber insurance provider, suggested the incident will raise awareness around the current limitations on many cyber policies.

For example, BI policies linked to cyber coverages that only kick in after 12 hours.

He said the event also serves as a warning of the dangers of economies of scale.

“A mere fifteen companies worldwide account for 62% of the market for cybersecurity products and services,” said Motta. “The fallout from this event illustrates the very real public policy tension that exists between the benefits of economies of scale and the risks associated with concentration.”

All posts