In the wake of the CrowdStrike security update disaster, thousands of claims for cyber insurance policies, business interruption, travel, and event cancellations are still being reviewed. The largest IT outage in history cost an estimated $5.4 billion in damages.

However, reports suggest that insurance companies may be off the hook.

Insured losses are estimated to be between $300 million and $1 billion. Global reinsurer Guy Carpenter reported that less than 1% of companies with cyber insurance worldwide were affected by the incident.

One reason: Compared to a cyberattack, the non-malicious nature of this outage limited the overall impact.

Deploying solutions quickly is also important for insurance companies, experts say. This has allowed many organizations to address the problem before the typical four- to 12-hour waiting period for accident claims ends.

What lessons can insurance companies learn?

But one thing remains striking: The outage seemed to catch many cybersecurity and IT experts off guard. What lessons should the insurance industry learn from this event?

Global brokers, including Aon, have issued briefing papers. Insurance Business reached out to these and other industry leaders for their views.

Rory Egan (main image above), head of cybersecurity analytics at Aon Reinsurance Solutions, describes the disruption as “the most widespread and significant event in the cyber insurance market since NotPetya in 2017.”

NotPetya was a ransomware attack that started in Ukraine, affected dozens of countries, and, by some estimates, caused damage costs of over $4 billion.

However, he did give a somewhat reassuring estimate of the losses caused by the CrowdStrike event.

“At this point, the loss potential could be anywhere from 5% to 15% of total annual cyber insurance premiums,” Egan said. “This is interesting because it is roughly in line with the annual ‘catastrophic load’ that cyber insurers allocate to cover widespread cyber and IT events, called the ‘cyber catastrophic load.’”

Quick response and timing

He attributed the relatively low losses to the rapid response by CrowdStrike and IT teams around the world.

“The timing of the event was also a factor as the impact was more severe in time zones like Australia that were not sleeping during the initial outage caused by the faulty update,” Egan added.

In Australia, Matthew Coss (pictured below) is CEO of the Members Health Fund Alliance, the country’s top body for private health insurers.

“The immediate focus was on consumers and making sure private health insurance claims could be processed,” said Melbourne-based Kochi.

He added that health insurance companies were able to contain any impact within hours and without causing major disruption to customers – despite the attack occurring during a business day.

“By Friday evening, everything was almost resolved. We certainly haven’t heard any complaints from consumers,” Kochi said.

Did government laws help?

He pointed out that one of the reasons Australian insurance companies have avoided large losses is the regulations imposed by local governments.

“As an industry regulated by the Australian Healthcare Regulatory Authority, all health insurers have detailed risk management strategies and there is a great deal of scrutiny around IT, extending even to independent audits and assessments,” said Koss. “The risk of a cyber breach or IT shutdown is one of the things that keeps most health insurers and regulators up at night.”

The event highlights how cyber and IT risks come in many forms, including malicious attacks and IT outages — and can even originate from leading cybersecurity companies, Egan said.

“This could happen to anyone, and the widespread impact highlights the interconnected nature of software ecosystems,” he added.

No technique is 100% guaranteed.

The CrowdStrike incident is a reminder that no matter how large or sophisticated a third-party provider is, the smooth operation of technology cannot be taken for granted and guaranteed 100%, Kochi said.

“Organizations need to have robust risk management processes and practices in place that will prepare them for worst-case scenarios,” he added.

Key lessons for all companies include the importance of backup systems and processes as well as transparent communication with stakeholders during crises, Kochi said.

“CrowdStrike kept the lines of communication open throughout the incident and worked quickly and professionally to resolve the issue,” he added.

Are some cyber policies too limiting?

In a blog post, Joshua Motta, CEO of Coalition Insurance Solutions (Coalition), a global cyber insurance company, suggested that the incident would raise awareness about the current limitations of many cyber insurance policies.

“Many cyber insurance policies have limitations or exclusions that may limit coverage for certain types of system outages or widespread disruptions that could result in large systemic aggregation events,” said Motta, who is based in Los Angeles.

For example, business intelligence policies related to cybersecurity coverage that do not take effect until after 12 hours.

He added that the event also serves as a warning about the dangers of economies of scale.

“Only fifteen companies globally account for 62% of the cybersecurity products and services market,” Motta said. “The implications of this event illustrate the real tension in public policy between the benefits of economies of scale and the risks associated with concentration.”

What lessons do you see learned from the CrowdStrike outage? Please let us know below.