Cyber insurance losses related to the CrowdStrike outage will be driven by business interruption, Moody’s has highlighted in a recent report, who also warned that determining final losses for the industry will be a lengthy process due to cyber insurance policy language not being standardised.
Caused by a flawed software update for certain Windows hosts released by the cyber security firm CrowdStrike, the July 19 IT outage caused insured losses that appear to be a limited event for property and casualty (P&C) insurers, according to the agency.
The event generated losses through cyber insurance policies. “However, determining final losses for the industry is likely to be a lengthy process because cyber insurance policy language is not standardised,” Moody’s stated.
Adding: “It will take time for insurers to determine which customers suffered losses from the outage, and whether those losses are covered.”
Parametrix has estimated $5.4 billion in economic losses from the event, with insured losses likely to be no more than 10%-20% of economic losses ($540 million to $1.08 billion).
Business interruption, a primary contributor to losses from cyber incidents, will drive most of these losses.
Moody’s noted that, as these losses “were not caused by a cyberattack, claims will be made under “systems failure” coverage, which is becoming standard coverage within cyber insurance policies.”
Analysts continued: “Claims from the outage will be made for direct losses to the insured because of their own system failure as well as contingent business interruption caused by an insured’s vendor being affected by the outage. A smaller number of claims may emerge from technology errors and omissions policies.”
This global outage revealed the broad risks posed by a single point of failure and the degree to which many segments of the economy are interconnected and interdependent, Moody’s highlighted, and compared it to supply chain cyber attack.
The event affected multiple industries, including airlines, healthcare and financial services.
Several factors will limit the number and size of claims, such as waiting periods in some cyber insurance policies, self-insured retentions or the timing of the outage.
The report also noted that, as many primary P&C insurers manage their exposures using reinsurance, most often through quota share arrangements. Reinsurers’ losses will depend on the underlying primary insurance coverage and the terms of the reinsurance contracts.
Moody’s concluded: “We expect underwriters will evaluate the scope and nature of the event and adjust their underwriting, focusing on systems failure coverage. Although insurers have improved their ability to analyse potential insured losses related to individual data breaches, ransomware losses, and business interruption, it remains challenging to analyse widespread outages.
“Cyber modelling has advanced, but the risks are constantly evolving, which creates uncertainty around return periods and the likelihood of an event. The CrowdStrike outage will prompt further scrutiny of risk aggregations and modelling practices and spur demand for cyber insurance.”
