Fortune 500’s Insured Losses for CrowdStrike Could Reach $1 Billion: Parametrix
The total direct financial loss facing the US Fortune 500 companies, excluding Microsoft, from the CrowdStrike outage on July 19 is $5.4 billion, modeling and insurance services firm Parametrix estimates.
The portion of the loss covered under cyber insurance policies is likely to be no more than 10% to 20%, or $540 million to $1.08 billion, due to many companies’ large risk retentions, and to low policy limits relative to the potential outage loss, Parametrix said.
The weighted average loss is $44 million per Fortune 500 company, but ranges from $6 million (manufacturing companies) to $143 million (airlines).
Parametrix estimates that the largest direct financial loss will be suffered by Fortune 500 companies in the healthcare sector ($1.938 billion), followed by banking ($1.149 billion). Companies in these sectors take 57% of the loss, but account for only 20% of Fortune 500 revenues, due to the uneven impact of the event on business sectors.
Manufacturing, the largest sector by revenue, suffered what Parametric calls a loss of just $36 million in total when compared to its annual revenue of $3.4 trillion across 130 companies, while the event cost the six Fortune 500 airlines approximately $860 million, against revenue of $187.1 billion.
Parametrix said its estimates are based on more than 54 billion data points of the historical performance of cloud services, along with its direct monitoring of the real-time service status of 6,000 technology businesses including a significant portion of the Fortune 500, and its expertise in system failures and business interruption losses.
Diversify Portfolios
“Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries,” said Jonatan Hatzor, co-founder and CEO of Parametrix. “It tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimize the potential impacts of systemic cyber risk.”
He added that its analysis does not show the whole diversification picture and noted that a cyber insurer focused on very large companies will suffer a much greater CrowdStrike loss relative to premium than one with a large SME (small-to-medium enterprise) book.
Hatzor said that prevention is important, but carriers have limited control over event occurrences and service-provider practices. “The industry should focus on controllable areas, like mapping and managing aggregation risk. By understanding these points, we can evaluate key exposures, and mitigate both malicious and non-malicious threats. This proactive approach enables better underwriting decisions, and effective risk-transfer solutions to manage systemic risk,” he advised.
Fitch Estimate
On July 22, Fitch Ratings reported preliminary market estimates of global insured losses from the CrowdStrike incident that range in the mid- to high single digit billion USD, which it said would not translate into a material impact for (re)insurers, but they are subject to ongoing claims and litigation.
Fitch believes the insurance lines most affected will be business interruption, contingent business interruption and cyber. Several smaller lines such as travel insurance, event cancellation, and technology errors and omissions will also be affected.