CrowdStrike incident unlikely to impact global insurer finances

Industries requiring 24/7 availability will be more affected, especially in APAC.

The recent cybersecurity incident at CrowdStrike is unlikely to significantly impact global (re)insurer financial results. However, the region is most likely to be one of the most affected, said Fitch Ratings.

Several mechanisms will limit insured losses, including lack of coverage, high deductibles, sub-limits, and time element periods for business interruption claims. 

Most business interruption claims from cyber events have time element periods of eight to 12 hours. Claims are expected to remain within the retentions of primary insurers.

Industries such as hospitals and airlines, requiring 24/7 availability, will be more affected, especially in Asia Pacific, Europe, the Middle East and Africa regions. 

Unlike the Americas, which had a solution requiring physical access and sometimes a recovery key, these regions had more workday disruption.

Preliminary estimates of global insured losses in the mid- to high single-digit billion US dollar range won't materially affect (re)insurers, though claims and litigation are ongoing.

The most affected insurance lines will be business interruption, contingent business interruption, and cyber. 

Smaller lines like travel insurance, event cancellation, and technology errors and omissions will also feel the impact. Policy terms and conditions vary widely across regions, sectors, and lines of business. 

Fitch will update its analysis as more information emerges.

Microsoft estimated the update affected 8.5 million devices, less than 1% of all Windows machines. 

This incident underscores the growing risk of single points of failure (SPoF), critical bottlenecks in system delivery that can have significant impacts. 

SPoF risks, modelled for cloud outages and popular software, are not well understood for industry-specific software like CrowdStrike or ChangeHealth.

As companies consolidate for scale and expertise, resulting in fewer vendors with higher market shares, SPoF risks increase. Utilising multiple, redundant vendors can mitigate SPoF risks but adds complexity and costs.

SPoF risks highlight the challenges in modelling cyber risk, as low-frequency events can have significant severity based on outage duration, compounding events, and uncertain remediation costs and liability exposure. 

Developing the cyber risk transfer market and securitization requires maturation, including standardised coverage terms, price discovery, and risk modelling applications.

Cyber risk remains difficult for insurers to assess due to dynamic root causes of claims, lack of effective modelling tools, and limited historical claims data. 

Early ILS deals in cyber-risk transfer will involve more easily modelled and quantified risks and will be modest in size.