- Modelling capabilities for cyber risk have not yet reached the level of sophistication found in other insurance classes of business
- The CrowdStrike event challenges conventional thinking in the cyber insurance market as hitherto the market’s focus has been on events caused by malicious actors
- Opportunity to provide more cover for losses stemming from non-malicious causes as this area is underserviced
- Cyber insurance market needs to develop an even more detailed catalogue of the IT landscape to track and quantify risks and vulnerabilities and enhance models
The latest Insurance Risk Monitor from Broadstone, a leading independent insurance, pensions, employee benefits, and investments consultancy, this month focuses on the fallout from the system failure caused by the CrowdStrike update and its implications for the cyber insurance market.
The cyber insurance market has developed relatively quickly. As a consequence of its rapid growth, modelling capabilities for cyber risk have not yet reached the level of sophistication found in other insurance classes of business with comparable premium volumes.
The CrowdStrike event is a good illustration of how a fairly specific technical issue can cause global disruption and highlights how the world is now fully reliant on an extremely complex and interconnected web of technologies.
It also challenges some of the conventional thinking in the cyber insurance market. Until recently, most of the market’s focus has been on events caused by malicious actors. However, the CrowdStrike event was due to an unintended error within an automatic software update. In the short term, this has helped to keep the total claims from the event relatively contained. Nevertheless, policyholders were left out of pocket and are surely now questioning the fairness of the extent to which accidental losses were excluded from their cyber insurance cover. In any case, there is potentially an opportunity forming to provide more comprehensive cover for losses stemming from non-malicious causes.
Another area the event calls into question is how well cyber insurance models actually catalogue the real world technological landscape. For the machines that were affected by this event, CrowdStrike was just one of many services running in the background. There are undoubtedly other software services that have the potential to cause a similar impact on the Windows operating system. Whilst it is not an easy task to catalogue all of the technologies applied across the world’s cyber systems, it is nevertheless not an insurmountable task.
The comparison that is often made is with property insurance, particularly in the context of modelling natural catastrophe losses. The availability of granular information on the world’s geographical features and detailed information on most of the world’s buildings is the foundation upon which natural catastrophe models are built.
A similar extremely detailed catalogue must be developed for the IT landscape covering hardware, software, connected devices, wearables and key infrastructure that IT systems rely on such as cables and satellites. An added challenge for the cyber insurance market is that the technological landscape is constantly evolving. Therefore, it is vital for such a catalogue to be dynamic and up to date.
Knowing the technological catalogue is however only half of the problem. The ability to track and quantify vulnerabilities and interdependencies between technologies and components is equally important.
In addition, the Windows operating system is not the only vulnerability. The macOS is widely used and is vulnerable to being affected by a similar issue. The heavy infrastructure of the internet is fairly reliant on Linux based servers and failures affecting this operating system could result in a disproportionate impact on IT services globally.
For underwriters, a key action they can take in the short term is to require policyholders to provide more detailed catalogues of the systems and components they employ. Underwriters should also aim to place stricter requirements on this information being kept up to date. Collecting this information alone is fairly helpful for portfolio analyses and can reveal concentrations of risk.
The insurance industry sometimes overlooks the collective bargaining power and influence that it has on other industries. For example, higher premiums can be imposed where policyholders are exposed to software platforms that have the ability to push updates through automatically, and especially where the vendor is not thoroughly vetted or appropriately accredited from a cyber security perspective.
As systems get ever more complex, the risk inevitably will increase. In a world where the use of generative AI is widespread, risks are further exacerbated as coding, checking, validation and compatibility testing tasks are increasingly handed over to AI models to perform.
While cyber modelling has advanced and insurers have improved their ability to analyse potential insured losses related to individual data breaches, ransomware losses and business interruption, it remains challenging to analyse widespread outages and risks are constantly evolving.
This highlights the necessity for vigilant underwriting and modelling practices. The cyber insurers that have access to detailed information to evaluate IT supply chain dependencies, assess aggregation across commonly used technologies and recalibrate risk tolerances accordingly are likely to be more successful. Bharat Raj, Head of London Markets at Broadstone, said: “The CrowdStrike event and other recent cyber events including MoveIT, Change Healthcare, CDK Global and Snowflake, reinforce the systemic risks in the digital supply chain. There is a high level of interconnectedness within these systems that can be brought to a standstill abruptly and on a large scale.
“This latest outage is likely to prompt greater demand for cyber cover especially for losses stemming from non-malicious causes, which are under serviced in the current market. As insurers look to meet this growing demand, the key to ensuring strong underwriting performance will be in enhancing data collection and improving the ability to monitor and manage risk aggregations in real time.”