Verisk’s Property Claim Services unit confirmed reports it has designated the recent global information technology outage as a cyber catastrophe event.
With the designation, PCS Global Cyber believes what has come to be known as the CrowdStrike event will cause at least $250 million in insured losses from standalone cyber programs or from cyber coverage existent as part of blended programs.
The determination by PCS, derived after surveys of cyber insurance marketplace stakeholders, is likely not a surprising one considering published commentary and initial insured-loss estimates from the industry since an update released July 19 by cybersecurity firm CrowdStrike for its endpoint detection and response (EDR) products caused an error within Microsoft Windows and resulted in widespread IT outages—affecting many industries such as airlines, banking, retail, hospitality, and governments.
Broker Aon soon after the outage said it was “likely to be the most important cyber accumulation loss event since NotPetya in 2017,” and has since offered insights related to coverage implications, calling business interruption the probably “most directly affected head of damage.”
Sridhar Manyem, senior director of industry research and analytics at industry rating agency AM Best, said the non-malicious cyber event was “exactly the kind of aggregation risk that the industry is worried about.”
“This incident is likely going to impact multiple insurers,” Manyem added, while calling the cyber incident an “earnings event due to underwriting terms (limits, higher deductibles) and reinsurance.”
Cyber analytics firm CyberCube said last week that insured losses from the massive IT outage could range from $400 million to $1.5 billion. Modeling and insurance services firm Parametrix estimated the portion of the loss covered under cyber insurance policies to be between $540 million and $1.08 billion.
Joshua Motta, CEO of specialist insurer Coalition, compared the CrowdStrike event to Change Healthcare and CDK, and said the firm’s cyber model came up with a loss tally of between $270 million and $960 million.
“Despite the media hysteria and significant impact of these events, including the CrowdStrike outage, which has been called ‘the largest IT outage in human history,’ we do not expect any to reach the levels of loss of natural catastrophe events that routinely impact the insurance industry,” Motta said in a blog.
A brief released this week by Moody’s said insured losses from the widespread outage “appear to be a limited event for property and casualty insurers,” but “determining final losses for the industry is likely to be a lengthy process because cyber insurance policy language is not standardized.”
“It will take time for insurers to determine which customers suffered losses from the outage, and whether those losses are covered,” Moody’s said.
Manyem of AM Best said insurers have been tightening cyber underwriting standards with increased retentions, adjusting limits, using reinsurance, and shifting the focus to small- and medium-sized companies.
“This is still developing and has the potential to be a contracted claims and legal process, and we will be monitoring the situation,” Manyem added.