CrowdStrike Outage Updates , Cyber Insurance , Governance & Risk Management

CrowdStrike Outage Could Cost Cyber Insurers $1.5 Billion

Most Claims Will Be Made Under 'Systems Failure' Coverage, Says Moody's Ratings
CrowdStrike Outage Could Cost Cyber Insurers $1.5 Billion
A bad update from CrowdStrike on July 19 sent millions of Window machines into a looping "blue screen of death." (Image: Shutterstock)

The global IT outage triggered by a faulty CrowdStrike software update on July 19 could lead to cyber insurers paying out up to $1.5 billion in compensation.

See Also: Gartner Market Guide for DFIR Retainer Services

That's the conclusion of cyber risk analytics platform CyberCube, which in a Thursday report said the insurer losses range from $400 million to $1.5 billion. Those figures represent 3% to 10% of the $15 billion in global cyber premiums held today.

The final insurance payout total will need time to emerge. "Determining final losses for the industry is likely to be a lengthy process because cyber insurance policy language is not standardized," Moody's Reports said in a Monday report. "It will take time for insurers to determine which customers suffered losses from the outage, and whether those losses are covered."

Most claims will center on losses due to "business interruption, which is a primary contributor to losses from cyber incidents," it said. "Because these losses were not caused by a cyberattack, claims will be made under 'systems failure' coverage, which is becoming standard coverage within cyber insurance policies." But, not all systems-failure coverage will apply to this incident, it said, since some policies exclude nonmalicious events or have to reach a certain threshold of losses before being triggered.

The outage resembled a supply chain attack, since it took out multiple users of the same technology all at once - including airlines, doctors' practices, hospitals, banks, stock exchanges and more.

Cyber insurance experts said the timing of the outage will also help mitigate the quantity of claims insurers are likely to see. At the moment CrowdStrike sent its update gone wrong, "more Asia-Pacific systems were online than European and U.S. systems, but Europe and the U.S. have a greater share of cyber insurance coverage than does the Asia-Pacific region," Moody's Reports said.

The outage, dubbed "CrowdOut" by CyberCube, led to 8.5 million Windows hosts crashing to a Windows "blue screen of death" and then getting stuck in a constant loop of rebooting and crashing. Many IT teams, with help from CrowdStrike and Microsoft, have been working nonstop since then to recover affected systems.

By Thursday, CrowdStrike reported customers had successfully restored 97% of affected Windows PCs, servers and virtual machines.

Cloud outage risk modeler and underwriting agency Parametrix Solutions said the outage directly affected one-quarter of the 500 most profitable publicly traded U.S. companies. Those corporations will collectively see $5.4 billion in direct losses as a result, it forecast (see: CrowdStrike Outage Losses Will Hit Healthcare, Banking Hard).

That estimate doesn't include expected "very significant intangible losses" for Microsoft, Parametrix said, stating that those remain difficult to predict.

Moody's Ratings expects the CrowdStrike outage to "spur demand for cyber insurance" by new policyholders, as well as drive the market to further refine its "cyber modeling" to take into account not just ransomware and data breaches but more widespread outages such as the CrowdStrike disruption.

Unlike the SolarWinds supply chain attack or last year's attacks on online Microsoft Exchange servers, the outage didn't stem from malicious activity. It wasn't combined with crypto-locking malware, extortion, cyberespionage or other nefarious activity. "Had this event been a malicious attack that deployed ransomware bricking a large number of computer systems the losses would have been far worse," CyberCube said.

Even so, the outage highlighted "the broad risks posed by a single point of failure and the degree to which many segments of the economy are interconnected and interdependent," Moody's said.

Rectifying those problems won't necessarily be an easy task, but it should lead to much better overall cybersecurity resilience, experts say (see: CrowdStrike, Microsoft Outage Uncovers Big Resiliency Issues).

CrowdStrike last week released a preliminary report on the outage, which it said occurred because its faulty code-testing procedures failed to prevent a bad software update from being distributed to customers' Falcon endpoint security agents. The company pledged to overhaul its testing practices and to make a number of other changes designed to prevent a recurrence.

Part of the problem is that a third-party Windows security software application was able to send its Windows host into a nonstop reboot loop without the operating system being able to automatically recover. Software experts say that problem doesn't just involve CrowdStrike but is a risk posed by most Windows endpoint security - aka antivirus or anti-malware - tools because they rely on kernel-level drivers that run with the greatest possible privileges on a system.

Microsoft hasn't pledged to overhaul Windows to eliminate that requirement but it will "work with the anti-malware ecosystem" to help it make its approaches more secure, said David Weston, Microsoft's head of enterprise and OS security, in a Saturday blog post.

This will include "providing safe rollout guidance, best practices and technologies to make it safer to perform updates to security products," as well as new Windows features designed to reduce "the need for kernel drivers to access important security data," he said.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.