Jason Hart

According to a trio of experts from CFC Underwriting, a managing general agency with a speciality in cyber insurance, the global outage caused by Crowdstrike on July 19 provides the perfect opportunity for brokers to remind small and medium-sized business owners of the value of cybersecurity cover.

CFC, a UK-based company, recently held a webinar entitled Anatomy of a global IT outage, aimed at drawing lessons from the outage that hit some 8.5 million users of Microsoft's Windows system.

Jason Hart, CFC's Head of Proactive Insurance, mentions the origin of the outage. “Crowdstrike released an update of its Falcon sensor software. The Falcon sensor is a lightweight software installed on the endpoint device. It constantly monitors the behaviour of applications and processes, so it's always on the lookout for errors that could be going on, from an attacker's behaviour perspective.”

As a result, any organization that installed the Falcon sensor on a Windows machine essentially caused the “blue screen of death” seen on many terminals in airport terminals around the world, helping to create a sense of panic, according to Hart.

Crowdstrike's update of the Falcon application had already caused similar outages twice in 2024, in March and April, but only affected users of the Linux operating system, Jason Hart points out.

Some questions  

Moderated by Lindsey Nelson, CFC's Cyber Development Leader, the discussion revealed that many brokers asked the CFC for help that day, as they were unsure whether such an outage was covered by their clients’ cyber insurance policy.

The events covered by the product are security breaches, system integrity and system inaccessibility,” explains Jason Hart. In this case, the configuration updated by Crowdstrike posed a problem, and the IT experts were able to find solutions relatively quickly.

The main fear was that hackers would be able to contact paralyzed companies and sell them bogus solutions to help solve the problem. Malicious actors created fake e-mail addresses using the Crowdstrike name.

This gave these criminals the opportunity to infect other victims with their malware, according to Hart. “It's a normal reaction, you see your computer system crash, someone offers you help, you're willing to believe anyone,” he says.

CFC quickly identified all the insured companies using Crowdstrike. “Using our intelligence application, we immediately started pushing alerts to insureds on attack vectors that attackers could be using, providing security awareness,” he explains.

Affected users were also reminded not to open suspicious e-mails or click on links included in messages from unknown recipients. CFC sent out some 46,000 alerts to policyholders connected to the monitoring application on their cell phones.

“We've seen a very high read rate among our correspondents,” says Hart. Tips were also sent to the 50,000 brokers who do business with the insurance company, adds Lindsey Nelson.

According to Jason Hart, the event serves as a reminder of the need for all companies to have a business continuity plan in place in the event of a computer failure. “When you're not prepared, you'll start making other mistakes. Attackers and threat actors know this. And they will abuse that,” he says.

Regardless of the size of your business, this contingency plan will help you determine what needs to be done, and in what order, in the event that a system, platform or database becomes inaccessible. “You have to ask yourself: what will be the impact if I lose access for an hour, four hours, a day, a week? It helps you assess the risk and take steps to prevent it from happening,” concludes Hart.

A record  

Michael Phillips

For his part, Michael Phillips, CFC's Cyber Practice Leader in the United States, confirms that the classic cybersecurity policy is the ideal coverage for this kind of event. The July 19 outage was the largest cyber disaster in history that was not of malicious origin.

“It allows us to dispel the widespread myth that cybersecurity is only for computer attacks. It also covers outages that aren't caused by malware,” says Phillips.

SMEs are increasingly forced to digitize their operations. “The risk of system failure becomes more significant alongside the explosion in cybercrime,” he adds.

As companies move into the digital world, it's the broker's role to support them by providing coverage that covers failures across the entire technology chain, according to Phillips.

Some insurers have begun to add exclusions for the type of failure that affected Crowdstrike users last July. Michael Phillips deplores this knee-jerk reaction, which he considers disappointing.

“It's precisely for this type of event that the product is most valuable. Unfortunately, that value becomes apparent when there's an event like this,” he says.

The protection offered by the insurer, in Phillips' opinion, should cover not only the business interruption resulting from the computer breakdown that directly affects the insured, but also the losses associated with the problems experienced by third parties, either suppliers or customers of the insured company.

Coverage should also include 24/7 assistance from IT experts and the support of an estimator to determine and assess potential losses.

Around the world  
James Burns

According to James Burns, Head of Cyber Strategy at CFC, the Crowdstrike outage is a perfect example of a systemic risk that needs to be covered by a cyber insurance policy.

“A major earthquake, like the San Francisco earthquake in 1906, is a systemic risk. It was the deadliest earthquake in U.S. history, killing over 3,000 people, and destroyed 80% of the city's buildings. There were over 100,000 claims costing the equivalent of £5 billion in today's money,” he says.

An air tragedy, like the four hijacked planes on September 11, 2001, is another systemic risk. In this case, claims totaled $50 billion in life, property, aviation and liability.

A computer failure affecting 8.5 million users worldwide is also an event that represents a systemic risk. “One of the challenges with cybersecurity in particular is that it can be very difficult to predict how big any given event might be. And that makes it potentially more difficult for the industry to effectively manage these exposures, these scenarios,” he says.

Burns makes an interesting observation to explain the relatively mixed impact of the outage on insurers. The update that caused the outage began to first take effect in Australia, limiting the impact on IT systems in Europe and then the USA.

“Most cyber insurance policies are sold in the US, and by the time their day started, there was a clear route to recovery, which had been issued. I think this minimized operational disruption for many policyholders. In fact, they were up and running relatively quickly and given that many of them are large corporate companies that choose to buy policies with high deductibles, many don't seem to think they'll actually need to file a claim or have a loss that will divert their attention,” he explains. 

James Burns doesn't believe that the July 19 outage is likely to cause a hardening of the cyber insurance market. “It might dampen some of the rate decline we've seen. But I don't think it's had enough impact to move us back the other way in terms of reinsurance.”

In the end, the losses won't be that high, according to Burns. Crowdstrike's platform is used more by very large companies. These large companies have good deductibles that provide for coverage to be triggered after 12 hours or more. They were able to solve their problem within a few hours.

This is not to say that a major outage will never trigger a volume of claims that could create solvency problems for the industry. “We've long advocated an approach of defining catastrophic events based on their scale and impact, as opposed to what causes them: war or infrastructure failure. This seems a far more relevant way for insurers, brokers and customers to know where the lines are when it comes to managing systemic risk in policies,” he says.

The NotPetya computer virus, which hit some 300,000 users in 60 countries in 2017, had its origins in an attack perpetrated by Russian hackers and specifically targeted Ukraine's infrastructure. As it spread, the virus caused major problems for large organizations.

“Damages are estimated at over $10 billion, which is much higher than the preliminary figures reported for the Crowdstrike outage,” he says. Delta Air Lines is reporting lost revenues and costs of $380 million for the 7,000 cancelled flights.

An initial estimate of losses made a month after the event was $5.4 billion, with less than $1 billion in damage covered by insurance.

What distinguishes the two events is the malicious nature of NotPetya, which was designed to destroy Ukrainian infrastructures. In the case of the July 19, 2024 outage, policyholders were able to recover much more quickly. “But we can see that the chaos and panic caused by the outage created a risk that could have been much worse,” adds James Burns.

Since it wasn't SMEs that suffered most from the outage, Burns doesn't believe the broker can use this example to convince SME managers to buy cybersecurity cover. “If this had been an outage caused by a product more commonly used in SMEs, the loss could have generated a much higher volume of losses,” he says. 

Instead, the selling point should be that the cyber policy is precisely used to cover claims that arise from a non-malicious breakdown. “Policyholders were able to talk to our experts, who helped them recover.”

A very large majority of SME managers don't take out cyber insurance, because they don't fully understand the nature of their risk associated with IT security. “This is the right time to explain it to them,” adds Burns.

Some industries based in a few geographic regions suffered more from the outage last July, for example healthcare facilities in the USA and the UK. “The best way for the insurer to limit losses is to do what it has always done, which is to diversify its portfolio in order to limit its exposure to systemic risk,” he concludes.

Some 2,500 people registered for the CFC webinar, Lindsey Nelson said.