CrowdStrike tests cyber cat bonds & reinsurance, demonstrates importance: Aon’s Egan
The CrowdStrike IT outage incident shows the need for a more granular understanding of coverage under cyber reinsurance portfolios and catastrophe bonds, but also demonstrates the importance of continued development of these instruments, as they provide critical coverage to the cyber insurance market.
In an update, Aon’s Reinsurance Solutions explained, “Cyber insurance portfolios containing system failure coverage for these industries and others may see claims, however the extent to which this is a covered event for insureds will vary.
“This event highlights the interconnected nature of software ecosystems, and presents an industry learning opportunity to reassess approaches to addressing portfolio accumulation risk.”
As a non-malicious event, Aon’s Reinsurance Solutions cyber team noted that the relevant trigger for cyber policies will be under system failure coverage.
Business interruption, so coverage for loss of income and extra expenses incurred, is “expected to be the most directly affected head of damage, subject to applicable waiting periods,” the broker said.
Also noting that, “Dependent business interruption, data restoration, incident response and voluntary shutdown costs may also be applicable and contribute to re/insured losses.”
For individual risk cyber insurance underwriters, Aon said that the CrowdStrike event will bring greater attention to system failure coverage grants and business interruption waiting periods.
While at the portfolio level, Aon said it “sees this event as an opportunity for the market to react by improving granularity on codifying policy information important for understanding portfolio accumulation risks stemming from certain coverage grants, to allow more nuanced event loss estimation and accumulation scenario analysis.”
The specific insurance, reinsurance and cyber catastrophe bond products that have been developed by the market will be tested by this event, Aon said, “both from an event definition and loss quantum perspective.”
Aon highlighted that coverage wordings are critical in determining how losses flow after the CrowdStrike IT outage around the world, with differences across policies for the system failure trigger as some carriers include this as standard, others do not.
“We understand that deviation from standard forms is common, for example to regularly add system failure triggered coverage as an endorsement, or conversely to restrict coverage on risks and industries of particular concern e.g. airlines, which in this event and in previous system failure events incur massive costs immediately when systems are down,” Aon said.
Aon also notes the differences in waiting periods for business interruption under cyber insurance policies, as well as the fact cedent specific factors will also drive their ability to make claims under the policies, while dependent business interruption will be a further driver of claims, but also uncertainty as it is often harder to pin down where those may come from.
Overall, Aon’s Reinsurance Solutions team said, “This is likely to be the most important cyber accumulation loss event since NotPetya in 2017.”
But, the overall loss quantum is uncertain, and will depend primarily on “the prevalence of coverage for system failure, which varies across the market, and the duration until successful manual remediation at each affected insured, versus the applicable waiting periods on their cyber policies,” Aon said.
“This event brings into focus the need for greater transparency of system failure coverage grants, waiting periods and in general a more granular approach to tracking coverage items relevant for monitoring aggregations at portfolio level,” the broker continued.
Adding that, “Specific coverage for events with widespread impact such as this is a developing area of the cyber market, featuring in a subset of original policies, reinsurance treaties and catastrophe bonds.”
For these, event focused reinsurance and catastrophe bond covers, Aon noted that the CrowdStrike outage will raise questions around the wording of the products, such as whether non-malicious events are actually covered.
In addition Aon says this will raise questions over the “threshold aspect” for reinsurance and cyber cat bonds, explaining, “Does the event “qualify” as an event of required magnitude and will the attachment points of cover be reached?”
Rory Egan, Head of Cyber Analytics, Aon Reinsurance Solutions, commented on the event, “Specific coverage for events with widespread impact, such as this one, is a developing area of the cyber market, featuring in a subset of original policies, reinsurance treaties and catastrophe bonds.
“This event demonstrates the importance of further developing these products.”
Also read: CrowdStrike outage: Cyber cat bond prices stable, uncertainty palpable.
Read about every cyber cat bond transaction, including the first private cat bond deals and the more recent 144A cyber cat bonds, by filtering our Deal Directory by peril to view only cyber cat bond transactions.