What does “CrowdStrike” portend
for a currently stabilizing market?
By Joseph S. Harrington, CPCU
People who work in IT like to use the term “ecosystem” to describe an integrated network of internal and external computer systems. The term proved to be an apt one in July 2024, when a flaw in a security software update caused an estimated 8.5 million computer users to shut down for hours.
The CrowdStrike outage, named for the cyber security firm that initiated the update, swept across the networked world like a windstorm. Estimates of the damage, principally lost revenue, range up to about $5 billion, of which perhaps $1.5 billion was insured by cyber insurance policies. Other policies, particularly professional and management liability policies, may also be triggered.
Alarm bells
Besides being a wake-up call for cyber insurers and risk managers, the CrowdStrike outage is ringing some alarm bells for agents and brokers, as well.
In contrast to most cyber losses, the CrowdStrike outage was a “non-malicious” event. No one intended the disruption; it arose out of the “ecosystem” of networked operations. The problem with that is that cyber policies were primarily developed to address willful acts of malicious actors, not to respond to flaws in system design, maintenance, or operation.
Over time, most—but not all—cyber policies have added “system failure” or some equivalent coverage to address sudden loss of functionality, whether deliberate or not. Joel Fehrman, vice president of cyber underwriting for Corvus, explained the importance of the evolving distinction in the 2021 article “Cyber Coverage Explained: Contingent Business Interruption”:
Contingent BI coverage most often covers security failure. System failure coverage (events not triggered by an attack) is not as common and is often sub-limited … (emphases added).
In the wake of the CrowdStrike outage, agents and brokers are (or should be) scrambling to see if the cyber coverage they’re selling would have covered a similar event.
Strong capacity; ample limits
For all the concern emanating from the CrowdStrike incident, analysts characterize it as a serious but not devastating event, one that won’t necessarily disrupt a market recovering from unexpectedly high levels of losses from 2019 through 2022.
“This market is in a soft cycle where premium is down, limits are up, and coverage is expanding,” says Roman Itskovich, co-founder and chief risk officer of At-Bay. “In the reinsurance area, ceding commissions are up.”
“There are plenty of markets and capacity available right now, and we are seeing some stabilization in pricing,” says Deborah Dioguardi, professional lines national practice leader of Jencap Group LLC.
Steve Robinson, national cyber practice leader for RPS, expected to see rates turn upward early in 2024, but experience proved otherwise.
“The cyber insurance market continues to offer strong capacity, ample limits, and modest pricing,” he says. “Carriers have returned to offering $5 million limits, limits that were hard to secure during the ransomware spike from 2019 through 2022. While still the exception, $10 million limits are more prevalent than they were during those years.”
“[C]rowdStrike … pointed out a major vulnerability. It showed how easy it could be for a cybercriminal to hold major industries hostage by breaching a single technology
vendor.”
—Deborah Dioguardi
Professional Lines National
Practice Leader
Jencap Group LLC
First- and third-party loss
Robinson attributes part of the softness in the market to a leveling-off of claims activity.
According to Robinson, loss frequency due to funds transfer fraud and social engineering schemes, the biggest sources of cyber loss, is trending lower among RPS’s small and medium-sized enterprises. “This is due to increased awareness and training concerning money transfers and procedures for validating payment instructions,” he says.
Robinson adds that ransomware continues to be a threat, but frequency is down about a quarter from what it was in 2023. “Also, businesses are far less likely to pay a ransom, continuing a trend we’ve seen each year since 2019,” he says.
If Robinson sees any area of increased claims activity, it’s in third-party actions. “We have seen an increase in third-party privacy claims and expect this trend to continue,” he says.
Itskovich shares that observation. “We’re starting to see more third-party actions following a ransomware incident or a hacking that disclosed sensitive information,” he says. “Cases that were not pursued before are now being pursued more aggressively.”
Cyber insurers are always adapting to new hazards, and Dioguardi sees new potential for loss arising from violations of new SEC rules regarding cyber operations and security, as well as growing use of artificial intelligence by cybercriminals.
“We’re starting to see more third-party actions following a ransomware incident or a hacking that disclosed sensitive information. Cases that were not pursued before are now being
pursued more aggressively.”
—Roman Itskovich
Co-founder and Chief Risk Officer
At-Bay
“Coverage restrictions on regulatory coverage may become an issue due to increased claims costs for regulatory investigations, settlements, fines and penalties,” she says.
“Also, CrowdStrike, although it was not a ransomware incident, pointed out a major vulnerability,” Dioguardi adds. “It showed how easy it could be for a cybercriminal to hold major industries hostage by breaching a single technology vendor.”
”Normalized” forms
That said, Robinson finds that the pace of change in cyber policy forms has slowed in the past year and a half, and that cyber carriers have reduced their reliance on coverage restrictions implemented in 2019-2022. “Co-insurance provisions, sub-limits for cyber extortion, and exclusions for common vulnerabilities have largely disappeared,” he says.
Robinson and Itskovich each note that cyber policy forms are becoming more standardized in their content and format, with Itskovich noting that “coverage forms are becoming more or less normalized with fewer discrepancies among them,” but Robinson reminding risk professionals that “there are still nuanced differences between carriers.”
“The cyber insurance market continues to offer strong capacity, ample limits, and modest pricing. Carriers have returned to offering $5 million limits, limits that were hard to secure during the ransomware spike from 2019 through 2022.”
—Steve Robinson
National Cyber Practice Leader
RPS
Itskovich considers the most substantial policy innovation of late to be a coverage expansion rather than a restriction: the extension of cyber coverage to “non-IT contingent business income” coverage. In other words, insureds are seeking coverage for loss of revenue due to an interruption of cyber operations caused by a non-cyber peril away from an insured location (e.g., a fire in a remote facility housing servers).
In light of the CrowdStrike outage and general market stability, it’s a good time to assess carefully just how far cyber coverage can and should go.
For more information:
At-Bay
at-bay.com
Corvus
corvusinsurance.com
Jencap
jencapgroup.com
RPS
rpsins.com
The author
Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.