“We expect claims will be mostly within the retentions of primary insurers,” said Fitch
Cyber risk remains difficult for insurers to assess due to the dynamic root causes of claims. Challenges include a lack of effective, widely accepted modeling tools and a limited data set of historical claims, where past events are not necessarily indicative of future risks
New York/Chicago: The recent cybersecurity software incident at CrowdStrike is unlikely to have a material impact on global (re)insurer financial results, Fitch Ratings says. Preliminary market estimates of global insured losses that range in the mid- to high single digit billion USD would not translate into a material impact for (re)insurers, but they are subject to ongoing claims and litigation.
The insurance lines most affected will be business interruption, contingent business interruption and cyber. Several smaller lines such as travel insurance, event cancellation, and technology errors and omissions will also be affected. Policy terms and conditions vary considerably across regions, sectors and lines of business. We will update our analysis for the sector and rated (re)insurers as more information emerges.
Several mechanisms will limit insured losses, including lack of insurance coverage, high deductibles, sublimits and time element periods for business interruption claims. Most business interruption claims from cyber events have time element periods that range from eight to 12 hours.
“We expect claims will be mostly within the retentions of primary insurers,” said Fitch.
Industries such as hospitals and airlines will be more affected, as they require 24/7 availability and often lack robust redundancies.
APAC and EMEA regions had more of their work day affected by the outage, unlike the Americas, which had a solution to the outage, although it requires physical access to machines and in some instances access to a recovery key.
Microsoft estimated that the update affected 8.5 million devices, or less than 1% of all Windows machines. However, this incident highlights a growing risk of single points of failure (SPoF). SPoF are critical bottlenecks in the delivery of systems that, if impacted, will have an outsized effect on the system.
SPoF risk has been modeled for cloud outages and popular software such as operating systems. However, it has not been well modeled or understood for industry-specific software such as CrowdStrike or more recently ChangeHealth.
SPoF are likely to increase as companies seek consolidation to take advantage of scale and expertise, resulting in fewer vendors with higher market shares. Utilizing multiple, redundant vendors can help offset SPoF risks, but can also add increased complexity and costs that often are not feasible.
SPoF risks highlight the challenges in modeling cyber risk as the frequency of events are low but the potential severity can be significant based on the duration of outages, compounding events, and uncertainty of remediation costs and liability exposure.
Wider development of the cyber risk transfer market and securitization requires further maturation of the product, including greater standardization of coverage terms and policy language, price discovery and risk modeling applications.
Cyber risk remains difficult for insurers to assess due to the dynamic root causes of claims. Challenges include a lack of effective, widely accepted modeling tools and a limited data set of historical claims, where past events are not necessarily indicative of future risks. Early ILS deals within the spectrum of cyber-risk transfer will comprise cyber risks that are easier to model and quantify and will be of modest size.