Coalition: Modelling indicates CrowdStrike US cyber insurance loss below $1bn
The US cyber insurance industry loss from the recent CrowdStrike related IT outage is expected to come in below $1 billion, according to specialist insurer Coalition, with the company saying its modelling suggests a lower bound of $270 million or even lower, while the upper-bound is $960 million.
Writing in a blog post, Coalition co-founder and CEO Joshua Motta explained, “The CrowdStrike outage is the third material supply chain outage of 2024, following the outages of Change Healthcare, impacting thousands of hospitals, pharmacies, and medical practitioners, and software vendor CDK, impacting thousands of car dealerships. The potential for a cyber attack or systems outage, such as these, raises concerns about the potential for further large systemic losses.
“Still, despite the media hysteria and significant impact of these events, including the CrowdStrike outage, which has been called “the largest IT outage in human history,” we do not expect any to reach the levels of loss of natural catastrophe events that routinely impact the insurance industry.
“Our own modeling, leveraging our Active Cyber Risk Model, suggests a $0.96 billion industry-wide loss experienced by US cyber insurance policyholders at the upper bound prior to consideration of coverage limitations.
“Of course, any model of this event will also be highly sensitive to the least credible assumption (most likely, the share of impacted systems), which if reduced, would decrease our estimate to $0.27 billion (or lower).”
It’s another helpful input in understanding the ramifications of the CrowdStrike event for the cyber insurance and reinsurance market.
It also adds a further data point which firms up the general feeling that the cyber catastrophe bonds in the market could not be affected by an industry loss at this level.
Recall that, Parametrix, a specialist in parametric cloud downtime cyber insurance and reinsurance protection, released an insurance industry loss range of $540 million to $1.08 billion for the event.
Then CyberCube, a specialist modelling firm for cyber risks and exposures, estimated that insurance industry losses from the CrowdStrike linked global IT outage for the standalone cyber insurance market would be between $400 million and $1.5 billion.
As we explained, an industry loss of below $1.08 billion would not be anticipated to impact any of the cyber catastrophe bonds currently in-force, and we expect that to also be the case for an industry insured loss of below $1.5 billion.
There is a question over the global impact, but with the US market the largest source of insured cyber premiums, it seems unlikely adding in other regions of the world will raise the currently available industry loss estimates that much higher.
Motta, CEO of Coalition, further explained, “In very small part, this is the result of impacted organizations being insured for amounts far lower than their actual financial losses, but also because the cyber insurance industry has the advantage of affirmatively covering cyber perils, including thoughtfully designing coverage to avoid large systemic risk aggregation. Cyber insurance cynics also routinely (and massively) underestimate the amount of technological diversification across organizations that limit the possibility for systemic loss, as well as the ability of organizations to quickly learn, react, and even cooperate with others to dramatically reduce the severity of losses.
“Attempts to analogize cyber catastrophes with natural catastrophes are profoundly misguided as a result. Case in point: the 8.5 million computers impacted in the CrowdStrike outage account for less than 1% of computers running Windows, according to Microsoft, and represent an even smaller fraction of the estimated 10 billion+ computer systems in operation globally. Many, although not all, organizations were able to recover within hours, if not days.”
Looking ahead to how the experience of the CrowdStrike event may affect cyber insurers views on risk going forwards, Motta said it will likely accelerate changes already being enacted on cyber policies.
“Across the cyber insurance marketplace, and particularly among those with lesser capabilities, we expect these concerns will more likely be addressed by changing and, in some cases restricting or excluding coverage,” he explained. “Some insurers have already introduced catastrophic or widespread loss sub-limits and exclusions that may limit or exclude coverage for specific cyber losses that impact a large number of organizations.
“Others are adding dependent or contingent business interruption sub-limits, exclusionary language that may apply to organizations that weren’t direct targets (but suffer consequences of a supply chain cyberattack), or removing the coverage altogether, even if only temporarily.”
Motta added, “Undoubtedly, this will continue to be a topic of great interest for (re)insurers, regulators, and the broader cybersecurity community as a mere fifteen companies worldwide account for 62% of the market for cybersecurity products and services.
“The fallout from this event illustrates the very real public policy tension that exists between the benefits of economies of scale and the risks associated with concentration. We also expect that impacted companies and their insurers will pursue indemnification from CrowdStrike, whose liability remains to be determined.”
Also read:
– CrowdStrike event can build more confidence in cyber cat bonds: Hatzor, Parametrix.
– CyberCube estimates insured losses from CrowdStrike event at $400m to $1.5bn.
– Parametrix estimates CrowdStrike insured losses at between $540m and $1.08bn.
– Beazley CrowdStrike losses expected well-below cat bond attachment: Berenberg.
– Beazley says no change to combined ratio guidance after CrowdStrike.
– CrowdStrike tests cyber cat bonds & reinsurance, demonstrates importance: Aon’s Egan.
– CrowdStrike outage: Cyber cat bond prices stable, uncertainty palpable.
