The total direct financial loss faced by Fortune 500 companies as a result of the 19 July Microsoft – CrowdStrike outage has been set at approximately $5.4bn (£4.18bn), at a average weighted loss of $44m per organisation, rising to close to $150m for the most heavily affected, such as airlines.
This is according to cloud monitoring, modelling and insurance services provider Parametrix, which said that for many Fortune 500 organisations, the impact would be heightened because their large risk retentions and low policy limits relative to potential losses means that the portion covered under cyber insurance policies is likely to amount to no more than 10% to 20% of the total loss.
Parametrix’ analysis found that the largest direct financial loss is likely to fall on those in the healthcare sector – down $1.94bn cumulatively, following by banking – down $1.15bn. This accounts for 57% of the total loss but only 20% of Fortune 500 revenues due to the uneven impact of the event.
For example, the firm’s analysts said, manufacturing, the largest Fortune 500 segment by revenue, will suffer a relatively trivial loss of just $36m compared to its annual revenue of $3.4tn across 130 organisations, while the six airlines represented on the list will be out $860m against total revenues of $187.1bn.
Parametrix said about a quarter of Fortune 500 organisations were impacted in the incident, caused by a coding error in a CrowdStrike update that threw computers into a boot loop and brough systems crashing down. This includes all six of the Fortune 500 airlines and 43% of retailers. Meanwhile, three quarters of health and banking firms will suffer direct costs.
“Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries,” said Jonatan Hatzor, co-founder and CEO of Parametrix.
“It tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimise the potential impacts of systemic cyber risk. However, our analysis does not show the whole diversification picture. A cyber insurer focused on very large companies will certainly suffer a much greater CrowdStrike loss relative to premium than one with a large SME book.”
Beyond financial losses, the impact of the downtime on critical services resulted in a highly-visible cascade of operational delays affecting Fortune 500 companies and downstream entities.
Parametrix said it was likely that in terms of recovering systems, those industries that still rely heavily on physical computers will be the ones to experience longer recovery times – a point in favour of cloud services, it noted.
It said the overall impact of the outage was made more distinct due to CrowdStrike’s deployment both on-premise and in cloud environments.
Based on this, the firm forescast, cyber insurers should not necessarily rely solely on the event for modelling future cloud-based failures, but might try to better manage systemic outage risks through diversifying across industry sectors, service providers and company sizes.
“Prevention is important, but risk carriers have limited control over event occurrences and service-provider practices,” he said.
“The industry should focus on controllable areas, like mapping and managing aggregation risk. By understanding these points, we can evaluate key exposures, and mitigate both malicious and non-malicious threats. This proactive approach enables better underwriting decisions, and effective risk-transfer solutions to manage systemic risk.”
Single point of failure
More broadly, Hatzor echoed concerns already shared by other observers in the wake of the global outage – namely the prevalence of tightly-bundled technology solutions that risk creating single points of failure.
“In today’s digital landscape, many businesses rely heavily on integrated systems and services, which, while efficient, can also leave them vulnerable,” he said. “When a critical component within a tightly bundled solution experiences downtime or fails, it can trigger a cascade of disruptions throughout the entire system.
“This interconnectedness means that a failure in one area can lead to significant operational disruptions, affecting everything from customer service to data management and financial transactions.”
Hatzor raised further concerns, that both regulators and cyber insurers are not really prepared to address the complexities and risks of such systems. As so often happens, he noted, the rapid evolution of technology has outpaced the development of regulatory frameworks and risk assessment models, which leaves businesses exposed to gaps in insurance coverage or regulatory support when the worst comes to part.
“This lack of preparedness can exacerbate the impact … leaving companies more vulnerable to prolonged downtime and financial losses,” he said.