According to Morningstar DBRS, the global outage that affected numerous IT systems on July 19 will not have a long-term impact on the credit ratings of financial institutions and insurers.
A report titled Global IT Outage: Widespread Disruption to Corporates and Financial Services: Lasting Impact is Limited was published on the same day by the rating agency. The analysis covers various sectors, and in most cases, the authors believe the impact will be short-lived.
"Considering that a patch has been developed and is expected to be rolled out quickly, the duration of this event is likely to be short," the agency states.
The London Stock Exchange and JP Morgan Bank experienced disruptions on July 19, but financial institutions were not significantly affected by the outage.
The agency also notes that CrowdStrike, which caused the major outage affecting Windows users, saw its stock price drop the same day.
This decline continued on the Nasdaq index on Monday, July 22, according to checks by the Insurance Portal. While the stock was valued at $378.81 at market opening on Tuesday, July 16, five days later, the stock was worth $263.91. This represents a 30.3 per cent decrease in five days.
"This incident could also raise regulatory questions about the oligopolistic nature of critical IT infrastructure globally and could impact the critical software industry landscape over the long term," the agency highlights.
Travel disruptions
Airlines suspended numerous flights for several hours that day, unable to validate reservations. The disruptions continued over the weekend, with several airports feeling the impact of these delays and cancellations into the following week. However, this is not expected to affect their financial stability.
One sector where chaos could last longer is the tourism industry. Travel insurance providers will see the impact on their combined ratio and operating results in the third quarter of 2024.
"We expect an uptick in travel insurance claims related to flight cancellations and delays following the disruption of global air travel," the note states.
Despite airlines' efforts to mitigate delays, reimburse tickets, or rebook passengers on other flights, travel insurance policy conditions will apply. Non-refundable expenses such as hotel or car rental reservations will need to be compensated.
The agency stresses that major providers of travel insurance products should not suffer significantly, as these products generally represent less than five per cent of their gross written premiums. However, the pricing of guarantees associated with travel insurance is expected to be revised upward, the authors note.
Business interruption
The e-commerce supply chain was disrupted by the outage, but again, Morningstar DBRS notes that the impacts will be limited and short term. Delivery services like UPS and FedEx experienced delays, which could affect operations for a few days.
The agency observes that the outage will undoubtedly lead to claims for business interruption insurance. Generally, this protection does not cover losses resulting from a cyber event.
"Claims caused by the inability to operate certain IT systems would typically be covered under the business interruption endorsement of a cyber insurance policy, which is a more reduced subset of BI policies available in the market," the authors state.
Additionally, these forms of coverage generally include a deductible for the first 24 to 48 hours of the interruption. Depending on the duration of the impact felt from the outage, these claims may not be covered.
Similar to other insurance products potentially exposed to catastrophic losses, insurers and reinsurers pay close attention to "accumulation risk," or the risk of a single cyber event simultaneously affecting a large number of insureds.
This event "illustrates once again that cyber risk has the potential to generate a chain of highly correlated losses because of the increasing connectivity of global communications and the widespread use of specific IT systems," the agency concludes.
Details of the outage
On July 21, the global firm Aon released an incident report on the CrowdStrike-induced outage and its impact on cyber insurance. The report provides more insight into this Microsoft vendor.
Founded in 2011 and based in Austin, Texas, the company offers a dozen tools and solutions that protect IT systems. About 300 of the Fortune 500 companies use its products. This includes 6 of the 10 largest healthcare providers, 8 of the 10 largest financial services firms, and 8 of the 10 largest technology services companies.
Its Falcon platform, which monitors computer viruses, is at the heart of the outage. An update to one of Falcon's detectors was launched at 4:09 a.m. (GMT) on July 19. A configuration error caused system crashes and the appearance of the blue screen indicating the problem, which was corrected by a patch at 5:27 a.m.
Nevertheless, version 7.11 of the Falcon detector for Windows users caused outages for clients who updated during this 78-minute interval. The update did not affect MacOS or Linux users.
Microsoft estimates that 8.5 million Windows users were affected by the outage. Airlines had over 3,000 departures cancelled and 23,000 others delayed. Some electronic payment systems were temporarily unusable, complicating life for consumers and retailers.
Aon recommends that system update experts follow their suppliers' instructions to restore the situation. "Companies should assess any third and fourth-party exposure they have to this incident. Even if your organization was not impacted or has been remediated, there may be external parties your organization relies on which remain effected [sic]," the incident report states.
Insurance impact
Since this was not a malicious incident based on a hacking attempt, system failure risk is covered by the specific cyber risk endorsement in most contracts.
Business interruption losses, when covered, will generate the most claims, according to Aon. Each contract includes a minimum deductible for the duration of the interruption, which can vary from 6 to 24 hours depending on the terms negotiated.
Coverage for revenue loss will be more complex to obtain for insured businesses, as in many cases, sales are simply postponed or can be done manually without IT support.
The insured business may, however, have suffered impacts related to this business interruption experienced by a dependent supplier. Additional expenses are to be expected to restore connectivity of interactions.
Aon concludes by stating that this incident could be the largest loss related to cyber risk since the NotPetya malware in 2017 and the subsequent ransom demands.
However, according to Aon, the extent of the loss remains uncertain and will depend on two factors: first, the prevalence of system failure coverage, which varies by market; and second, the time required to successfully perform the manual correction for each affected insured, compared to the applicable waiting periods on their cyber policies.