CrowdStrike losses may be biggest test yet of cybersecurity insurance risk warning from Warren Buffett
At Berkshire Hathaway’s annual investor meeting earlier this year, Warren Buffett and his top insurance executive Ajit Jain issued a headline-grabbing warning that Berkshire would exercise caution regarding cyber insurance — in fact, it advised insurance agents to only sell cyber policies if they absolutely had to do so to satisfy a client, and to expect losses.
A primary reason cited is the difficulty in assessing the scale of losses possible from a single occurrence that spreads across technology systems, with Jain giving the hypothetical example of when a primary cloud provider’s platform “comes to a standstill.”
“That aggregation potential can be huge, and not being able to have a worst-case gap on it is what scares us,” he said.
Jain’s hypothetical seemed prescient when a quality control issue from cybersecurity firm CrowdStrike caused a worldwide IT outage that halted flights and freight, shuttered retail outlets, and caused hospitals to resort to charting on paper.
“Insurers have been worried about something like what happened with CrowdStrike since cloud adoption happened,” said Dale Gonzales, chief innovation officer at Axio, a cyber security risk analysis company.
But Gerald Glombicki, a senior director in Fitch Rating’s U.S. insurance group, believes the cyber insurance industry largely priced in the CrowdStrike meltdown correctly, and he expects it to be manageable rather than catastrophic for the cybersecurity insurance firms..
“It will have an impact because there will be losses,” said Glombicki, “but the modeling largely got it right. Mostly, we think the industry will handle it OK. There might be some issuers that mispriced policies,” he added.
Fitch estimates that the number of insured losses will not exceed $10 billion, ending somewhere in the mid- to high-single billions and that the industry largely priced those in.
The cybersecurity insurance market did get lucky, in some respects, with the CrowdStrike meltdown. For one, there were no significant physical damages, such as explosions at power plants, dams bursting, or fires caused by overheating equipment, which are becoming a bigger cyberterrorism risk.
“Cyber events that have more of a physical consequence would be much bigger in size or scope in terms of losses,” Glombicki said.
Additionally, even though CrowdStrike is widely deployed, its market share, estimated at 17% by Fitch, is large but limited in total impact. Among the companies that did use CrowdStrike, the worst impacted seemed to be on businesses that need 24/7 availability, like hospitals and airlines, Glombicki said.
Another factor in holding down losses and distributing them unevenly across the globe is that the CrowdStrike failure impacted places like Australia and Pacific Asia in the middle of the business day, but other markets, including the U.S., were hit during the night or early morning and many businesses were able to get systems back up within hours.
Not all cyber experts are expressing as much confidence at this point. Josephine Wolff, an associate professor of cybersecurity policy at Tuft University’s Fletcher School who has been studying the evolving market for the past several years, suspects the CrowdStrike meltdown will send shock waves through the nascent cyber insurance market.
“It’s still pretty early to assess the volume of claims that insurers are going to see due to CrowdStrike, but I sense that there will be a lot of business interruption claims across all industry sectors, just based on the impacts we’ve seen covered in the news, and that it will be a very bad situation for insurers,” Wolff said.
Wolff says the duration of the outages will influence the claims. Some businesses were out for hours; others were still struggling days later.
She compared it to the NotPetya cyberattacks launched by Russia in 2022, which halted much of the world’s freight.
“It’s possible that since some of these outages were shorter than what we saw after NotPetya, the claims may be smaller, at least in some cases,” Wolff said. However, she points out that the CrowdStrike glitch significantly impacted businesses, which was not the case with NotPetya.
“The U.S. is far and away the region with the highest rates of cyber insurance adoption, so I am guessing that this will be a bigger event for the cyber insurance industry both in terms of how many claims are filed and how big they are,” Wolff said.
In addition to unequal impact, cyber insurance policies themselves vary widely.
“Cyber insurance policies can be dramatically different. There is no standardization; terms and conditions can differ within a company depending on who wrote the policy,” Glombicki said.
Insurers are already cognizant of the unique challenges that cybersecurity poses for them, Gonzales said. As a result, the companies try to spread losses smartly by diversifying what is covered. However, the problem with cyberspace and ensuring its security is that it is still relatively unknown. But he doesn’t think it will drag down the whole insurance market.
“The losses won’t be as bad as hurricanes last year,” Gonzales said, adding that the comparison isn’t quite apples to apples since far more entities are insured in hurricane zones than there are cyber insurance policies.
Gonzales says the primary claims will be for business interruption, which some policies specifically exclude anyway. But he does predict the CrowdStrike incident will cause litigation.
“CrowdStrike will be sued. There will be litigation,” he said.
“Everyone exceedingly well understands fire insurance because it has been litigated to death,” Gonzales said.
Cyber insurance, on the other hand, hasn’t yet been litigated enough to establish protocols and precedents.
“The litigation will help define business interruption and define third-party culpability. The industry could use some defining, and hopefully, litigation fixes it,” Gonzales said. “Cyber events are evolving in ways that are slightly unpredictable. It creates a very dynamic environment,” he said, but he added, “I don’t think the CrowdStrike event will drastically change how people think about insurance.”
Ironically, the Crowdstrike event could create more interest in cybersecurity and draw more customers into the market, Glombicki said. “Boards will be asking about it,” he said.