CrowdStrike Disruption: A Lesson in What Can Go Wrong with IT and, Does Insurance Cover This?
By Anthony Cappelletti
General Insurance Insights, December 2024
I remember the day this past summer—July 19. A Friday. I had taken a vacation day to enjoy the outdoors and just spend my time relaxing. My cellphone was with me so I could play a game (or two) and check in on the real world every once and a while. Looking at one of my news apps, I read about an IT outage referred to as the CrowdStrike disruption. It was apparently affecting many companies and their services. But I was fine. Just a relaxing a summer’s day. My phone was working so I really didn’t give it much thought. Well, at least until the following Monday.
After a mostly enjoyable three-day summer weekend, it was time to go back to work Monday morning. That’s when I went into my home office and saw that my computer was displaying the Windows Blue Screen of Death. I was in panic mode.
The Blue Screen of Death (BSOD) is an error screen that appears when something goes critically wrong on your Windows PC. The problem is often a hardware fault, an issue with your drivers, or an error with Windows itself. … (It) is always an unwelcome sight. BSODs appear when Microsoft Windows encounters a critical error from which it can't recover. How-To Geek, Everything You Need to Know About the Blue Screen of Death |
Source: Wikipedia
There was nothing I could do to get my computer to work. I’ll spare the details, but after some helpful guidance on the phone with tech support, I was able to get my PC working. (I would have been spared this ordeal if I had remembered to shut down my computer Thursday evening.)
This event got me to thinking about the bigger picture—the effect that this IT disruption had on multiple businesses and what this could mean for general insurers, now and in the future.
What Happened on July 19?
First, one needs a basic understanding of what happened. CrowdStrike Holdings, Inc. is a U.S.‑based cybersecurity technology company that provides advanced applications through a cloud environment for endpoint security. Falcon is an application from CrowdStrike for endpoint detection and response to cybersecurity threats on computers running Microsoft Windows. On July 19, 2024, CrowdStrike released an update for Falcon. Unfortunately, this update had a defect that caused an endless loop of BSODs and reboots. It’s incredibly ironic that software designed to prevent disruptions from attacks on technology was responsible for a major disruption on technology due to their own software.
CrowdStrike estimated that approximately 8.5 million devices were affected by this faulty update. Many companies have integral functions of their business handled by devices protected by CrowdStrike applications. CrowdStrike’s customer base includes businesses across many different industries in many different countries. This event caused major disruptions in the air travel industry globally with thousands of flights cancelled. Other notable industries affected (in various locations) included financial services, healthcare, hospitality, media, railways, retail, and technology. This software glitch also disrupted certain government websites and at least one 911 emergency service line.
Compensation from CrowdStrike Cybersecurity firm CrowdStrike said that in the wake of a massive computer outage it caused last month it will give customers about $60 million in credits to remain with the company, possibly a mere fraction of the damages those clients say they incurred. |
The financial loss from this event was significant. Parametrix Solutions published a report in which it estimated that the CrowdStrike disruption produced direct losses (lost revenue and increased expenses) totaling just over $5.4 billion for Fortune 500 companies (excluding Microsoft). A breakdown by industry sector for this estimate shows that healthcare was most affected with losses of $1.94 billion, followed by financial at $1.15 billion and air travel at $0.86 billion.
The Parametrix report also estimated that the total insured claims for this event would be anywhere from 10% to 20% of the total losses from its analysis. Recall that the Parametrix analysis only included direct losses to Fortune 500 companies, excluding Microsoft. Microsoft did experience direct losses from this event. Also, companies not in the Fortune 500 (non-U.S. companies and smaller companies in the U.S.) sustained direct losses from the CrowdStrike disruption. Additionally, many smaller companies experienced ripple-effect losses from the event. Ripple-effect losses (a.k.a., secondary losses) were from a company having their business disrupted due to reliance on another company (or companies) that was directly affected by the event. Fitch Ratings provided a preliminary estimate of global insured losses to be “in the mid-to-high single digit billion USD.” (i.e., $5 billion to $9 billion).
Despite this very public and costly error, CrowdStrike will likely survive this event. Some companies may decide to not renew with CrowdStrike for cyber security applications, but many will remain CrowdStrike clients (using Falcon at a discounted price to make up some of the losses caused by the flawed update). This is because CrowdStrike is still viewed as having some of the most effective applications for detecting and responding to cyber risks.
Insurance, Lawsuits and The CrowdStrike Disruption
It is reasonably evident that most of the losses will be from business interruption. Insurance will mainly be provided through either business interruption policies or cyber insurance policies, but only when they cover this type of trigger for a loss.
- Cyber insurance would be included only if “systems failure” is included in the policy provisions as a covered loss trigger. Cyber policies are not standardized. Some cyber insurance policies provide this coverage, while others limit coverage to malicious acts. The CrowdStrike update flaw was not a malicious act.
- Business interruption insurance usually requires physical damage to the insured’s property to trigger coverage. This does not include cyber risks. However, customized policies may provide this coverage. Many large companies negotiate business interruption coverage that include many different types of claims triggers including cyber risk and system failure.
Companies will need to check their policy wordings to see if they have coverage for this event. Even when a company has insurance coverage for business interruption losses triggered by system failure, the insured amount may be small or non-existent. This is mainly due to deductibles, both monetary and time. Business interruption monetary deductibles can be high but the time deductible usually excludes losses from a specified number of hours after an event (typically anywhere from four to 12 hours). A solution to fix this error was made public within 12 hours of the event.
Problems at Delta Air Lines Delta Air Lines was the hardest hit by the CrowdStrike event. It had thousands of flight cancellations and numerous stranded passengers. Five days after the event, Delta was still cancelling flights. Questions have been raised as to why Delta did not recover as quickly as other airlines. According to a Reuters news report, the U.S. Department of Transportation launched an investigation into Delta’s treatment of passengers and slow recovery from this cyber disruption. |
Collecting from insurers for covered losses isn’t the only course of action for compensation. There is always the court system for making those responsible pay. This event has opened the door to many potential lawsuits.
Most software agreements stipulate a limit of liability that a software user must agree to before using the software. The limit is often the cost of the software. Lawsuits hoping to collect more than this amount will need to somehow overcome this contractual limit. |
- Delta Air Lines has informed CrowdStrike and Microsoft of its intent to sue them. Delta is claiming losses of $500 million. CrowdStrike contends that its liability to Delta is limited to under $10 million.
- CrowdStrike is the defendant in a class action lawsuit filed by its shareholders for violations of securities law (by not disclosing its inadequate testing of software). The disruption caused a significant drop in CrowdStrike’s share price.
- Delta Air Lines is the defendant in a class action lawsuit filed by Delta customers affected by flight cancellations.
- A class action lawsuit against CrowdStrike and Microsoft is being investigated by small businesses affected by the disruption.
- A class action lawsuit against CrowdStrike is being investigated by air travelers affected by the disruption.
Moving Forward: Does This Change Anything for General Insurers?
The short answer is yes. An explanation follows.
Cybersecurity is more than protection against malicious events like hacking systems. The CrowdStrike disruption shows the effects of a system failure. But recovery from this was relatively quick. This was not a worst-case event for a system outage. What if a global system failure occurs for which there is no quick fix, perhaps even causing irreparable damage to devices? What if power plants are disrupted causing blackouts? What if safety systems to cool machinery fails resulting in fires or explosions? Cyber experts need to stay on top of these potential events, working out loss scenarios and providing some idea of the probability of such an event occurring in a year.
A large organization with the risk of a single point of failure disruption can have a disruptive effect on many other companies through ripple effects. Risk mitigation is key. Companies need to limit these risks by implementing system redundancies and quick-recovery plans for both malicious acts and systems failures. This applies to companies of all sizes. An expertly designed, and thoroughly documented, risk mitigation plan is the best way to minimize potential losses from these types of events. This will also help to ensure the availability and affordability of the type of business interruption and cyber insurance coverage required in the market. Cyber experts and underwriters can assist companies in designing these plans.
Change is required by general insurance companies as they need to ensure they are providing the cyber and business interruption coverage that their customers desire, at a price that is reasonable. Furthermore, insurers need to ensure that customers are aware of what triggers will not be covered and price those triggers as an optional endorsement. This will require additional underwriting and actuarial resources from general insurers. They will also need to use cyber experts and/or commercially available services for modeling cyber events. Reinsurers may also be a source of information to help price these primary policies and their endorsements.
On a positive note, at least for the general insurance industry, the CrowdStrike disruption will prompt more businesses to purchase cyber insurance.
Statements of fact and opinions expressed herein are those of the individual authors and are not necessarily those of the Society of Actuaries, the editors, or the respective authors’ employers.
Anthony Cappelletti, FSA, FCIA, FCAS, is a staff fellow for the SOA. He can be contacted at acappelletti@soa.org.