Main Logo Expert commentary on tech and security

Crowdstrike reveals a “small catastrophe” pattern in cyber insurance

Tom Johansmeyer 23 August 2024
Share On:
Tom Johansmeyer investigates the economic and insurance costs of recent major cyber incidents, pointing to a growing yet neglected trend
Main Top Image
Image created with the assistance of Midjourney

The mid-July computer systems outage caused by an update from cybersecurity firm Crowdstrike looked worse than it felt, at least in economic terms. The cost to the insurance industry was initially estimated to be “into the billions.” In fact, overall financial losses are expected to be no more than $3 billion. Industry-wide insured losses range from $300 million to $1.5 billion. The sweet spot appears to be $500 million to $1 billion, with my back-of-the-napkin leaning toward the lower end of that range. What does this all mean? 

Crowdstrike is more interesting when evaluated against recent commensurate cyber catastrophe events, such as cyberattacks against companies MOVEit, CDK Global, and Change Healthcare. Even though human error was behind the Crowdstrike losses, rather than a ransomware attack, the four events have had similar impacts on both the economy and the insurance industry. Examining these incidents as a growing trend can provide insights into the potential costs of frequent minor cyber catastrophes.  

Perhaps counterintuitively, some cyber insurance industry professionals worry more about the potential economic damages resulting from error than attack. They believe it is easier for an error to occur than for someone outside an organisation to find a flaw, exploit it, and ensure a sustained period of economic damage. Mistakes happen. Engineering them is much more difficult.

Cost to the insurance industry

An estimated $400 billion in cyber insurance protection is purchased worldwide, with roughly 60% covering risks in the United States. At its most severe estimate of $1.5 billion in losses, the Crowdstrike event has led to 0.375% in claim payments of all outstanding cyber insurance. At the low end assessment of $300 million, the costs plunge to 0.075%. Either way, the impact is minimal. 

The Crowdstrike loss may not even be the most expensive cyber catastrophe of the year, let alone the most pricey since the 2017 NotPetya cyberattack. NotPetya cost $10 billion in damage and disrupted tens of thousands of firms. So far, the other two major events of 2024 were the Change Healthcare and CDK ransomware attacks. Change Healthcare has already been designated a cyber catastrophe by the organization PCS (which I led until May 2023, including the development of this classification system). This indicates that the event came from a single original cause and is likely to result in at least $250 million in insured losses across the industry. 

Although there is little data to work from, my private sources suggest that the industry-wide insured loss for Change Healthcare will likely range from $500-750 million. The estimates are similar for the CDK event. The same is generally true of the 2023 MOVEit data theft. Thus, recent aggregate cyber catastrophe losses could range from approximately $2-4 billion.  

Together, these events likely represent a potential loss of only 0.5-1% of all cyber insurance outstanding worldwide. In a conventional year, insured cyber losses cost $5.8 billion (based on an estimated loss ratio of 41.6% and a worldwide premium of $14 billion). For the cyber insurance sector, these four cyber catastrophes weren’t so bad. After all, natural disasters cost the insurance industry more than $100 billion in 2023. For the broader economy, it wasn’t so bad either.

Cost to the wider economy

The economic losses from a specific cyber catastrophe indicate the worst potential losses for insurers, given that insured losses can never exceed economic losses. Full insurance coverage would ostensibly have provided protection for the entirety of an event’s economic effect. 

Whether considering just insurance costs or wider economic losses, the assessment remains the same for the Crowdstrike event and the other cyber catastrophes discussed above: the overall damage wasn’t so bad. Cyber analytics firm Cyence believes that the Crowdstrike error resulted in an estimated economic loss of approximately $1.7 billion. That makes it almost certainly smaller than WannaCry and far smaller than NotPetya

 Crowdstrike’s overall economic losses fit the pattern set by other cyber catastrophes this year—MOVEit, Change Healthcare, and CDK—as do the insured losses described above. Although there isn’t much publicly available information, my sources suggest that Change Healthcare’s overall economic impact is likely around $2 billion, with CDK’s the same. For MOVEit, those sources estimate an economic loss of around $1 billion at most. 

Still far from impactful

If Crowdstrike’s insurance and even economic impacts seem small, it’s important to remember that this is the case for cyber catastrophes in general. In economic terms, natural catastrophes have been far more costly than cyber catastrophes. Decades of data demonstrate this

The cumulative economic losses from cyber catastrophes since 1998 amount to $310 billion, just a little higher than the economic loss resulting from the 2011 Tohoku earthquake in Japan. In fact, natural catastrophe economic losses are nearly 14 times higher than cyber catastrophe economic losses for the 1998-2023 period. Adding the four recent cyber catastrophes only exacerbates the difference. Economic losses from natural catastrophes reached $120 billion for the first half of 2024. Together, Crowdstrike, CDK, and Change Healthcare fail to reach 5% of that.

Growing frequency, low severity

The most important insight from the Crowdstrike event – taken together with MOVEit, CDK, and Change Healthcare – isn’t about the severity of the economic or insured loss. It’s about frequency. 

Despite the 21 events noted since 1998, cyber catastrophes are generally believed to be rare. This makes any discussion of how often such events can be expected difficult. Further, tracking smaller events can be particularly challenging, because they don’t lead to the analysis that drives the creation of headline loss estimates. NotPetya’s $10 billion garners a lot more attention than $1.7 billion for Crowdstrike. Ultimately, it becomes tough to understand what small and frequent cyber catastrophes could look like – let alone their implications for the insurance industry.

Crowdstrike was visible. The visuals – such as crowded airports – were utterly relatable. It got our attention. On its own, it’s a curiosity. Taken along with the other recent small cyber catastrophes, though, the Crowdstrike event alerts us to the early signs of a pattern. We’re starting to get a sense of small-event frequency. These events, which cause around $1-2 billion in economic damage, are rising in frequency but are not getting nearly enough attention as a cumulative phenomenon. With the economic implications of major cyber catastrophes declining over the past 20 years, smaller events will become more important.

avatar
Tom Johansmeyer

Related

Featured image
Hooked On Trends
Re-thinking cybersecurity capacity building
James Barr / Sofia Liemann Escobar / Jessica McClearn / Phil Sheriff 18 June 2024
Read more arrow
Featured image
Hooked On Trends
Weaponising social media may be counterproductive in Hamas-Israel conflict
Anwar Mhajne / Alexandra Trantos 16 February 2024
Read more arrow
Featured image
Hooked On Trends
Russian space weakness may encourage satellite attacks
Elena Grossfeld 13 June 2024
Read more arrow

Terms & Conditions

Lorem ipsum odor amet, consectetuer adipiscing elit. Integer vestibulum massa; habitasse molestie velit tincidunt commodo. Blandit class sollicitudin in natoque fusce tincidunt maecenas tempor potenti. Turpis velit elit pulvinar aliquet sociosqu pharetra eleifend montes? Arcu sed ultricies gravida, tincidunt cubilia lobortis elementum elit. Lectus aptent suscipit auctor ultricies facilisi ultrices. Etiam pellentesque elementum lacinia morbi ac nulla fermentum primis. Eleifend scelerisque phasellus finibus nulla nisl. Dapibus nec accumsan scelerisque fringilla, tempus duis odio.

Duis odio urna mattis sociosqu ornare ligula torquent. Ornare tempus velit euismod nisi eu duis. Interdum torquent libero finibus porta sem ornare sit mauris. Facilisi consequat semper enim torquent nisl penatibus metus quis etiam. Habitant pharetra bibendum rutrum inceptos fermentum volutpat. Vulputate montes dis adipiscing himenaeos nascetur. Erat amet mus ipsum ultricies non aenean. Arcu penatibus primis platea primis tempus non dignissim convallis.

Arcu diam ante est varius pellentesque litora a vivamus? In dis purus tellus commodo semper egestas mattis adipiscing. Mi dis sapien, nisl morbi viverra dictum. Sociosqu lacinia consequat per vivamus elit. Torquent facilisi velit porttitor nunc phasellus facilisis tempor bibendum class. Integer nascetur neque ligula eget consequat lobortis neque ligula. Quisque maecenas a diam viverra senectus feugiat. Consectetur dignissim ut vivamus magna lorem malesuada turpis vitae.

Orci fusce efficitur libero porta porta ante euismod. Diam viverra malesuada integer, dictumst finibus ultricies! Dis turpis sociosqu montes cras arcu. Donec nulla et suspendisse elit accumsan duis tempus. Amet pellentesque lobortis dapibus fusce elementum nisi. Quam ultrices primis pellentesque ante dictumst? Dis rhoncus eros ipsum egestas, senectus potenti. Iaculis pellentesque habitasse vitae sociosqu vivamus lorem ex turpis tortor.

Elit ridiculus ut mollis neque dis. Vel class arcu duis varius fusce metus. Phasellus finibus pellentesque laoreet fusce lacus primis molestie. Ut cras risus arcu tincidunt ante, molestie maximus taciti. Etiam aliquam molestie; justo cubilia integer aenean. Curabitur curabitur suspendisse aliquet eu senectus. Tempus per eget dictum; id tristique velit vulputate pharetra iaculis. Cubilia nisi congue ligula iaculis luctus.