On Aon

How has CrowdStrike Changed the Cyber Market?

Episode Notes

This summer’s CrowdStrike outage highlighted the potential for significant loss in the insurance market and organizations. In this episode, Aon experts weigh in on the impact of the CrowdStrike incident and the cyber and supply chain lessons learned.

Featured in this episode: 
Sabba Manyara, Director, Cyber Solutions, Asia
Matt Chmel, Chief Broking Officer, Cyber Solutions Group
Alistair Clarke, Cyber Broking Leader, Global Broking Center

Additional Resources:

Aon’s website

Cyber Resilience Report: Cyber Attacks on Supply Chains Are Causing a Widespread Impact

Overcoming the Reputational Cost of Cyber Attacks: The 10-Day Plan

Responding to the CrowdStrike Outage: Implications for Cyber and Technology Professionals

Responding to the CrowdStrike Outage: Implications for Cyber (Re)Insurance

Client Spotlight: Building a Cyber-Resilient Supply Chain

Tweetables:

Episode Transcription

Intro:
Hi everyone, and welcome to the award-winning “On Aon” podcast, where we dive into some of the most pressing topics that businesses and organizations around the world are facing. Today, we hear from Matt Chmel and Alistair Clarke for a discussion around the CrowdStrike incident from earlier this year, and what we’ve learned about cyber and supply chain risk. Now, please welcome this episode’s host, Sabba Manyara.

Sabba Manyara:

Hello there. My name is Sabba Manyara, and I'm a director on the Asia Regional Cyber Solutions team at Aon. In today's On Aon episode, we're discussing the CrowdStrike incident from earlier this year and what we've learned about cyber and supply chain risk. In July, an update in CrowdStrike software caused a massive IT outage around the world, crashing millions of Windows systems. Critical services and business operations were disrupted. As of early fall this year, the speculated insured losses from the CrowdStrike outage are estimated to be between $400 million and over $1 billion. It has had a huge impact, and it highlights our deep reliance on highly complex software systems. With me today to discuss the cyber insurance angle is Matt Chmel, Chief Broking Officer of the Cyber Solutions Group at Aon, and Alistair Clarke, Cyber Broking leader for the UK region at Aon. Thanks for being here today.

Matt Chmel:

Thanks for having me here today, Sabba.

Sabba Manyara:

In our discussion today, we're going to start by walking through the impact of the CrowdStrike incident and what predictions we have for the cyber insurance market. So, let's get started. Can you first paint a scene for us on why the CrowdStrike outage was so significant to companies around the world? Matt, let's start with you.

Matt Chmel:

Thanks, Sabba. So, on July 19th as mentioned, CrowdStrike released a rapid response content update at around 4:09 UTC time, which, in the U.S., was primarily an overnight update. The impact was this was a global update to software. It's estimated about 8.5 million Windows devices were impacted by this update. Given the heavy reliance on CrowdStrike, at that time, it was very much unknown the financial impact and the insured impact and what that could be. Definitely, different sectors were impacted. Airlines were pretty significantly impacted in the US. Health care payment systems and all of the above were impacted. CyberCube had estimated the total insured loss to be around $400 million to $1.5 billion. The thing that's really skewing that kind of loss estimate is what is the actual financial loss? Is it a delayed income loss? Is it a truly insured loss? Many of the airlines we know don't purchase cyber insurance or purchase cyber insurance very uniquely without business interruption insurance. So that may impact and skew some of the losses itself, but also too, leading to that, a lot of it was extra expense.

Matt Chmel:

We know in the healthcare space specifically, there was a lot of delays and interruptions, but a lot of the costs and expense incurred by the loss was due to extra expense caused by actual boots on the ground, having to reboot the systems and deploy the patch that CrowdStrike released to fix the actual incident itself. So very complex situation, very unique situation for each organization individually. At Aon, we saw about 150 cyber insurance policy notices globally. A lot of those came within the first two weeks of the actual incident itself, and many of those are still playing out right now in terms of the actual quantification and forensic really analysis of what that impact was to those organizations on an individual basis.

Alistair Clarke:

Yeah. I totally agree, Matt. I think what was probably so terrifying about this particular outage was that of course it came as a result of an update by CrowdStrike. And CrowdStrike, for those that don't know, is one of the world's leading network security businesses. They exist purely to make our insureds and indeed, many clients that we don't yet hold, better at what they do more mature from a network security perspective. It was obviously a non-malicious outage, and it was an outage that I really genuinely don't think that the market saw coming. But I think from an underwriting perspective, this was a unique situation in that for many of the insureds that they've taken onto their books, the very reason, or one of the very reasons that they did, that they underwrote these risks was because CrowdStrike was involved.

Alistair Clarke:

And so, in a strange way, some of the better, or what would be considered better insureds, were actually adversely affected. So, it was a real shot across the bows, I think, for so many of our insureds, and, of course, for the market in general. It just genuinely shows you that with cyber, the next loss looks nothing like the last one. So very widespread, but something that I think genuinely the market was quite surprised by.

Sabba Manyara:

Thanks very much both for sharing your thoughts. Definitely agree from an insurance perspective. From insurers, we have heard, in the past, concerns about systemic risk, a widespread event of this magnitude. But as you mentioned, Alistair, usually the concerns around maybe cloud providers, et cetera. But no one really expected a provider like CrowdStrike to be impacted by such an incident, or to create such an impact. So, what are you seeing in the market now as a result of this unprecedented event? What do you predict for the future?

Alistair Clarke:

Well, I think for me, and I'm fairly sure that Matt will echo this, the biggest thing is it's again, reminded all of us about systemic risk, as you say. I think there's a keen awareness that really clients have to be very circumspect around their choice of vendors. But it is the reliance on, again, single vendors, the existence of single points of failure, and the systemic risk that that brings that I think clients have to be aware of. They're also going to have to look very, very carefully at their contractual arrangements. What contractual remedies do they have? If the worst happens, again, a widespread, non-malicious event that comes from a software update, whether it be from a security vendor or some other part of their technology supply chain, you can't always just assume that insurance is going to pick up the tab or all of the tab.

Alistair Clarke:

In this particular situation, as Matt, I think, highlighted, given the intricacies and the issues around retentions on some of these policies, some of them won't have been able to extract really any recovery from their policies because it would have been a relatively short and sharp outage for them, but nevertheless, a costly one. So, what other remedies do they have beyond that of insurance that they can call upon in the event of a similar outage in the future? So yeah, contractual arrangements, and then looking at a broad vendor base and how they protect themselves from these sorts of events going forward. Matt?

Matt Chmel:

Yes, Alistair, I would agree with you. From speaking with many of the insurers, because of various waiting period retentions on policies, after... And we're still very much in this. The dust is settling. Insurers are going to be able to absorb this event within their books of business. We're still seeing a very competitive landscape in the US in terms of cyber insurers wanting to quote business, wanting to retain business. We have seen insureds ask our insurers a handful of questions around the CrowdStrike uses, around the response, around the potential impact to their organization because of the event. But going forward, I think we're going to see a very healthy market going into the Q4 of 2024 and into 2025. Probably low to mid-single digit decreases still on the majority of policies. Obviously, there's going to be some outliers there in terms of loss, loss incurred accounts encouraged with maybe not the best controls that insurers are looking for.

Matt Chmel:

But from a general sense speaking, there is still ample capacity. About 20 percent of our clients are still purchasing additional limits, really due to their investment in cyber modeling, figuring out what their potential loss and exposure could be. Insureds are looking to broaden and enhance their coverage. Insurers are taking a diligent approach in terms of underwriting. Many incumbent insurers want to maintain their current books of business, so they're being aggressive on the renewal basis, but then also trying to get on new programs as well too. So I think going into 2025 and wrapping up 2024, we're still going to see it really be a buyer-friendly market in terms of the cyber insurance landscape as we are currently in right now.

Sabba Manyara:

Great. Thank you so much both for joining us today, Matt and Alistair. Great discussion. It sounds like while the CrowdStrike outage was a very impactful event and highlighted the potential for significant losses to the insurance market and to organizations globally, it was more of a near miss in this instance, and the market is still looking very healthy. And our clients, while many were impacted significantly, can still expect positive outcomes from the cyber insurance market.

Sabba Manyara:

So that's our show for today. Thank you all for listening. In the next months, we'll have more discussions on cyber hot topics as well as episodes on workforce resilience, risk transfer, and more. Until next time.

Outro:

Thanks for tuning in to the latest episode of “On Aon” with our episode host, Sabba Manyara and today’s experts, Matt Chmel, and Alistair Clarke, for a discussion on the CrowdStrike outage. If you enjoyed this episode, don’t forget to subscribe wherever you get your podcasts, and stay tuned for our next conversation featuring industry experts bringing you the latest on topics, including climate risk, workforce wellbeing, ESG trends, and much more. Be sure to check out our show notes and visit our website at Aon dot com to learn more about Aon.