Reinsurers Can Withstand Preliminary Loss Estimates from CrowdStrike Incident

The recent cyber-security software incident at CrowdStrike is unlikely to materially impact global reinsurer financial results, according to Fitch Ratings. Preliminary market estimates place global insured losses in the mid-to-high-single-digit billion USD range, but these are subject to ongoing claims and litigation. 

The insurance lines most affected will be business interruption, contingent business interruption, and cyber. Smaller lines such as travel insurance, event cancellation, and technology errors and omissions will also see impacts. Policy terms and conditions vary significantly across regions, sectors, and lines of business. Fitch will update its analysis for the sector and rated reinsurers as more information becomes available. 

Several mechanisms will limit insured losses, including lack of insurance coverage, high deductibles, sublimits, and time element periods for business interruption claims. Most business interruption claims from cyber events have time element periods ranging from 8 to 12 hours, meaning most claims will fall within the retentions of primary insurers. 

Industries such as hospitals and airlines will be more affected due to their need for 24/7 availability and often lack robust redundancies. The Asia-Pacific, Europe, Middle East, and Africa regions experienced more disruption during their workday, unlike the Americas, which had a solution to the outage, albeit requiring physical access to machines and sometimes a recovery key. 

Microsoft estimated the update affected 8.5 million devices, less than 1 percent of all Windows machines. However, this incident highlights the growing risk of single points of failure (SPoF). These are critical bottlenecks in system delivery that, if impacted, have an outsized effect. SPoF risks have been modeled for cloud outages and popular software like operating systems but are less understood for industry-specific software such as CrowdStrike or ChangeHealth. 

SPoF risks are likely to increase as companies consolidate to leverage scale and expertise, resulting in fewer vendors with higher market shares. Using multiple, redundant vendors can offset SPoF risks but adds complexity and costs, often making it impractical. 

These risks underscore the challenges in modeling cyber risk, where events are infrequent but potentially severe due to outage durations, compounding events, and uncertain remediation costs and liability exposures. The development of the cyber risk transfer market and securitization requires further maturation of products, including greater standardization of coverage terms, policy language, price discovery, and risk modeling applications. 

Cyber risk remains difficult for insurers to assess due to dynamic claim root causes, a lack of effective, widely accepted modeling tools, and limited historical claims data. Early insurance-linked securities deals within cyber-risk transfer will include easier-to-model risks of modest size.