Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

Crowdstrike reveals a “small catastrophe” pattern in cyber insurance

Tom Johansmeyer investigates the economic and insurance costs of recent major cyber incidents, pointing to a growing yet neglected trend
Main Top Image
Image created with the assistance of Midjourney

The mid-July computer systems outage caused by an update from cybersecurity firm Crowdstrike looked worse than it felt, at least in economic terms. The cost to the insurance industry was initially estimated to be “into the billions.” In fact, overall financial losses are expected to be no more than $3 billion. Industry-wide insured losses range from $300 million to $1.5 billion. The sweet spot appears to be $500 million to $1 billion, with my back-of-the-napkin leaning toward the lower end of that range. What does this all mean? 

Crowdstrike is more interesting when evaluated against recent commensurate cyber catastrophe events, such as cyberattacks against companies MOVEit, CDK Global, and Change Healthcare. Even though human error was behind the Crowdstrike losses, rather than a ransomware attack, the four events have had similar impacts on both the economy and the insurance industry. Examining these incidents as a growing trend can provide insights into the potential costs of frequent minor cyber catastrophes.  

Perhaps counterintuitively, some cyber insurance industry professionals worry more about the potential economic damages resulting from error than attack. They believe it is easier for an error to occur than for someone outside an organisation to find a flaw, exploit it, and ensure a sustained period of economic damage. Mistakes happen. Engineering them is much more difficult.

Cost to the insurance industry

An estimated $400 billion in cyber insurance protection is purchased worldwide, with roughly 60% covering risks in the United States. At its most severe estimate of $1.5 billion in losses, the Crowdstrike event has led to 0.375% in claim payments of all outstanding cyber insurance. At the low end assessment of $300 million, the costs plunge to 0.075%. Either way, the impact is minimal. 

The Crowdstrike loss may not even be the most expensive cyber catastrophe of the year, let alone the most pricey since the 2017 NotPetya cyberattack. NotPetya cost $10 billion in damage and disrupted tens of thousands of firms. So far, the other two major events of 2024 were the Change Healthcare and CDK ransomware attacks. Change Healthcare has already been designated a cyber catastrophe by the organization PCS (which I led until May 2023, including the development of this classification system). This indicates that the event came from a single original cause and is likely to result in at least $250 million in insured losses across the industry. 

Although there is little data to work from, my private sources suggest that the industry-wide insured loss for Change Healthcare will likely range from $500-750 million. The estimates are similar for the CDK event. The same is generally true of the 2023 MOVEit data theft. Thus, recent aggregate cyber catastrophe losses could range from approximately $2-4 billion.  

Together, these events likely represent a potential loss of only 0.5-1% of all cyber insurance outstanding worldwide. In a conventional year, insured cyber losses cost $5.8 billion (based on an estimated loss ratio of 41.6% and a worldwide premium of $14 billion). For the cyber insurance sector, these four cyber catastrophes weren’t so bad. After all, natural disasters cost the insurance industry more than $100 billion in 2023. For the broader economy, it wasn’t so bad either.

Cost to the wider economy

The economic losses from a specific cyber catastrophe indicate the worst potential losses for insurers, given that insured losses can never exceed economic losses. Full insurance coverage would ostensibly have provided protection for the entirety of an event’s economic effect. 

Whether considering just insurance costs or wider economic losses, the assessment remains the same for the Crowdstrike event and the other cyber catastrophes discussed above: the overall damage wasn’t so bad. Cyber analytics firm Cyence believes that the Crowdstrike error resulted in an estimated economic loss of approximately $1.7 billion. That makes it almost certainly smaller than WannaCry and far smaller than NotPetya

 Crowdstrike’s overall economic losses fit the pattern set by other cyber catastrophes this year—MOVEit, Change Healthcare, and CDK—as do the insured losses described above. Although there isn’t much publicly available information, my sources suggest that Change Healthcare’s overall economic impact is likely around $2 billion, with CDK’s the same. For MOVEit, those sources estimate an economic loss of around $1 billion at most. 

Still far from impactful

If Crowdstrike’s insurance and even economic impacts seem small, it’s important to remember that this is the case for cyber catastrophes in general. In economic terms, natural catastrophes have been far more costly than cyber catastrophes. Decades of data demonstrate this

The cumulative economic losses from cyber catastrophes since 1998 amount to $310 billion, just a little higher than the economic loss resulting from the 2011 Tohoku earthquake in Japan. In fact, natural catastrophe economic losses are nearly 14 times higher than cyber catastrophe economic losses for the 1998-2023 period. Adding the four recent cyber catastrophes only exacerbates the difference. Economic losses from natural catastrophes reached $120 billion for the first half of 2024. Together, Crowdstrike, CDK, and Change Healthcare fail to reach 5% of that.

Growing frequency, low severity

The most important insight from the Crowdstrike event – taken together with MOVEit, CDK, and Change Healthcare – isn’t about the severity of the economic or insured loss. It’s about frequency. 

Despite the 21 events noted since 1998, cyber catastrophes are generally believed to be rare. This makes any discussion of how often such events can be expected difficult. Further, tracking smaller events can be particularly challenging, because they don’t lead to the analysis that drives the creation of headline loss estimates. NotPetya’s $10 billion garners a lot more attention than $1.7 billion for Crowdstrike. Ultimately, it becomes tough to understand what small and frequent cyber catastrophes could look like – let alone their implications for the insurance industry.

Crowdstrike was visible. The visuals – such as crowded airports – were utterly relatable. It got our attention. On its own, it’s a curiosity. Taken along with the other recent small cyber catastrophes, though, the Crowdstrike event alerts us to the early signs of a pattern. We’re starting to get a sense of small-event frequency. These events, which cause around $1-2 billion in economic damage, are rising in frequency but are not getting nearly enough attention as a cumulative phenomenon. With the economic implications of major cyber catastrophes declining over the past 20 years, smaller events will become more important.

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.