Moody’s Eyes Downstream Impact of CrowdStrike Disruption on Cyber Insurance
Most losses from the CrowdStrike outage will be business interruption, a primary contributor to losses from cyber incidents—and because the losses were not caused by a cyberattack, claims will be made under “systems failure” coverage, according to a new report from Moody’s Ratings.
The report states that claims from the outage will be made for direct losses to the insured because of their own system failure as well as contingent business interruption caused by an insured’s vendor being affected by the outage. A smaller number of claims may emerge from technology errors and omissions policies, according to the report.
Related: Fortune 500’s Insured Losses for CrowdStrike Could Reach $1 Billion: Parametrix
The outage, caused by a flawed software update for certain Windows hosts, will generate losses through cyber insurance policies. However, determining final losses for the industry is likely to be a lengthy process because cyber insurance policy language is not standardized. It will take time for insurers to determine which customers suffered losses from the outage, and whether those losses are covered.
Parametrix estimated $5.4 billion in economic losses from the event. CyberCube’s preliminary estimate of insured losses ranges between $400 million and $1.5 billion for the standalone cyber insurance market.
Related: CrowdStrike’s Tests Failed to Flag Bug Behind Epic Crash
According to the report, several factors will limit the volume and severity of claims. Cyber policies have minimum waiting periods (between eight and 12 hours) before an outage triggers business interruption coverage. Cyber policies also come with self-insured retentions, so losses must go beyond a certain level to be covered, and systems failure for non-malicious acts may not be covered or may be subject to sublimits.
Determining final insured losses “is likely to be a lengthy process because cyber insurance policy language is not standardized,” according to the report, which is available only to subscribers.
“It will take time for insurers to determine which customers suffered losses from the outage, and whether those losses are covered,” the report states.