Cyber catastrophe bonds have come into focus after a global IT outage caused by a CrowdStrike service update resulted in millions of computers running critical services going offline, raising questions surrounding cyber accumulation and aggregation risks and highlighting some uncertainties over exactly what cyber cat bonds cover.
This does have the potential to be a covered event under at least some of the cyber catastrophe bonds, perhaps all of them. Having looked through the terms of some of those transactions, it’s clear an accumulation of losses from this CrowdStrike linked outage would be able to put the cyber bonds on-risk, where sponsors’ exposure to be sufficiently high, or were industry-losses in the US to reach the trigger level in the case of the one industry-index cyber cat bond.
The first uncertainty came about as Microsoft was initially pointed to as the cause of the outage, which was a natural assumption given it was Microsoft operating systems that were the key endpoint affected and that company had also suffered a separate outage that degraded some cloud services on the same day.
But the cause of the outage, that Microsoft has now estimated affected around 8.5 million computers running its operating systems, was actually a corrupted software update pushed out by security technology provider CrowdStrike.
As a result, it’s being called the CrowdOut event by specialist cyber risk modelling firm CyberCube, who pointed out that the incident has clearly demonstrated how a single point of failure can result in widespread disruption.
CyberCube said that the CrowdOut Event underscores “the potential for Single Point of Failure (SPoF) technology outages to impact the global digital economy.”
Adding that, “CyberCube is advising clients on how to use SPoF Intelligence to identify exposed insureds and estimate the exposure footprint of the event.”
The ramifications have been both widespread and significant, affecting sectors from travel, to payments and retail, financial services and corporate IT systems across the globe.
The fix for the specific issue has now been rolled out by CrowdStrike and systems are recovering fast in major corporations, but there are reports that a number of airlines go into Monday with effects from the outage set to cause more delays and cancellations, while for small and medium sized enterprises, as well as some national systems such as healthcare, there are expected to be outage effects that last into this week and perhaps beyond, with resources needed to remedy, reboot and update IT systems lacking.
For some cyber insurance underwriters, the longer this event causes disruption the greater their claims burden would be expected to rise to.
With insurance and reinsurance markets already well-aware of the risk of loss accumulation and aggregation under cyber insurance policies, as well as under certain other insurance policies covering business interruption, the eventual costs of the CrowdStrike linked outage remain uncertain.
For the insurance and reinsurance market identifying where losses could flow may come down to forensic analysis of individual cyber insurance and business insurance policies, while some claims will come via business interruption and contingent business interruption, including in some cases under other classes of insurance business where cyber or digital event disruption is not excluded.
There are also extra and out of pocket expenses caused by the outage to consider, while those affected face financial and reputational challenges, all of which can in some cases drive additional claims.
As a result, insurance policy wordings are deemed critical in what has been an unprecedented IT system outage.
In order to understand the potential reach of the CrowdOut event and how the ramifications of the issue caused by the CrowdStrike update could spread, risk modeller CyberCube noted that there are primary impacts to companies running the CrowdStrike Falcon service on Microsoft Windows, with potential business interruption and extra expenses effects for insurers.
Beyond that, secondary impacts are being felt by companies reliant on an single point of failure running the CrowdStrike Falcon service on MS Windows, which while being indirectly affected may result in contingent business interruption claims, plus those utilising a Managed Security Service Provider (MSSP) that was exposed to the CrowdStrike linked outage who also could have business interruption and extra expense claims.
On where losses could materialise, CyberCube explained that, “Analysis of the count of companies exposed across CyberCube’s US Industry Exposure Database (IED) identifies Large companies in Manufacturing, IT, Healthcare, and Financials as the most likely to be exposed. Examination of exposed limits shows an outsize exposure in the Aviation, Banking, and Retail sectors.”
CyberCube said that two cyber aggregation scenarios in its model closely resemble the CrowdOut event, with both showing the CrowdStrike related outage type event to primarily be a business interruption event, while single points of failure in other cyber catastrophe scenarios can lead to contingent business interruption exposure.
On what to expect, CyberCube said, “Affected organizations can expect a series of remediation and recovery efforts to take place immediately. Companies with the IT resources to handle large-scale incidents are expected to recover faster. There may be ongoing disruptions as companies implement patches and verify their systems’ stability. Rolling back the update and applying patches requires specialized knowledge. For small and medium-sized companies, a lack of access to IT staff could delay the remediation process. Companies lacking robust contingency or IT backup plans could also face additional disruptions.”
With now almost $589 million in catastrophe bond risk capital exposed to cyber loss events, thanks to the emergence of the new cyber catastrophe bond segment of the market, there are questions being asked about their potential exposure to this event as well.
One of those cyber cat bonds, the $13.75m private Cumulus Re deal, is a specific parametric cloud outage cyber cat bond, so seems the least likely to face any threat from this event, although we must note we don’t know the exact terms of coverage for that privately placed deal.
The other 144A cyber cat bonds all cover cyber catastrophe losses, with four of the deals providing cyber reinsurance on an indemnity trigger basis and one being an industry-loss trigger cyber cat bond. With these, the potential for there to be any ramifications are less certain and will come down to how the cyber insurance market loss stacks up after the CrowdStrike outage.
Which at this stage is extremely challenging to forecast and while many we’ve spoken with say they would not anticipate losses to any cyber cat bonds, there are plenty of others who say it’s still too uncertain at this time to be sure.
It’s worth noting that cyber cat bonds were not marked down due to the CrowdStrike or CrowdOut event on friday in the secondary cat bond broker pricing sheets we have seen so far.
We have not seen every secondary cat bond pricing sheet, but have had a few shared with us and there have not been any notable price movements.
That’s encouraging to a degree, but Friday was also very early for any prognostications over the potential for any claims accumulation under the terms of any cyber ILS arrangements, or even for cyber reinsurance treaties more broadly.
To try and get a little more insight as to how the ILS market was feeling after what is the highest-profile cyber event, we asked readers for their views in a flash poll.
Asked whether the CrowdStrike linked outage could pose any threat to cyber cat bonds, 22% said none whatsoever, while 55% said possibly, but that more clarity was needed to make a firm determination.
14% said that CrowdStrike is the biggest threat to cyber cat bonds to-date, while 9% said that they felt accumulation of losses from the outage could have the potential to hit cyber cat bonds.
All of which shows just how uncertain things were as of late Friday and into Saturday and it feels like that uncertainty while lessened slightly, still remains come early Monday morning.
Perhaps concerning, we’ve had a number of ILS investors and industry participants reach out and say they assumed it would take a cyber attack, or malicious actor event, for cyber cat bonds to face any exposure to losses and with this being an outage caused by a software programming error, how could they be exposed?
It’s a cyber disruption rather than an attack, but cyber cat bonds could also be termed digital operational risk cat bonds as well, as they do offer broad coverage across digital and technology issues that may not arise from a hack or cyber attack at all.
Such is cyber insurance and, when it comes to business interruption, that doesn’t necessarily have to come from a policy termed “cyber” either. It seems some investors and other interested parties may not have been aware of these facts.
While it does not feel like there was any specific concern on Friday, or over the weekend, from cat bond fund managers that might have allocated to the cyber cat bonds, the fact it is not at all clear-cut and this outage event has raised so many questions, perhaps highlights the fact this is still a very new peril and there’s a lot to learn about it.
While there were no price movements in cyber cat bonds that may or may not be exposed to the CrowdOut event, there is a clear need for more education on the peril in general, both across traditional re/insurance and also the insurance-linked securities (ILS) market.
Could anyone have sold their cyber cat bonds on Friday, at the time the world was recovering from the outage?
While many sources we’ve spoken with said they would not expect loss accumulation from the CrowdStrike linked outage CrowdOut event to reach the levels necessary to threaten the cyber cat bonds in the market today, given the general nervousness the event has caused it seems quite unlikely anyone would have been able to trade them.
Which reflects the uncertainty inherent in an event such as this and perhaps in cyber insurance in general, due to the proliferation of customised wordings tailored to the clients needs. That does not help for gaining a rapid view of potential exposure to an event either.
Those coverage terms and wordings are set to be critical in defining just how significant an event this global IT outage has been for cyber insurance and business interruption, or contingent BI. Let alone for reinsurance, retrocession and cat bonds or other cyber ILS deals.
Subrogation potential is another consideration, given how the outage emanated from CrowdStrike.
Risk modeller Moody’s RMS provided some helpful insights into what the CrowdStrike linked outage could mean for re/insurance markets.
Damini Mago, Assistant Director, Product Management, Cyber from the company wrote in a blog post that, with CrowdStrike a leading endpoint detection and response (EDR) provider, the fact some insurers require clients to use an EDR to get cyber insurance, it means enterprises using CrowdStrike are more likely to have a cyber insurance policy in place, although “in terms of any claims, the extent and terms of coverage within an individual cyber policy will vary.”
Mago also wrote, “There remain unknown implications of this event to how the coverage is being triggered.
“The scale of potential losses, particularly for critical industries, underscores the importance of understanding and managing cyber risk.
“For instance, industries like airlines and hospitals, which depend on continuous systems availability, are particularly vulnerable, as an inability to access critical systems could lead to business interruption (BI) and potential claims.
“As this incident, although initially reported as non-malicious, has shared similarities with large-scale cyberattacks in terms of its disruptive impact on an insurer’s clients, the fallout could see losses, especially for sectors that rely heavily on systems uptime.
“Insurers could see that their incident response and claims handling teams are stretched thin given the scale of this incident, as the number of enterprises impacted and how they were impacted becomes clearer in the next few days.
“Policy terms and conditions still vary widely, and even though the cyber insurance market has evolved there isn’t standardization of terms. Insurers will have to start the process of individually assessing each client’s policy in turn to establish their exposure.”
Executives from reinsurance broker Howden Re also commented on the IT outage event, with Luke Foord-Kelcey, Global Head of Cyber the company stating, “This mass outage will certainly be felt by the Cyber insurance market. However, the full extent of the impact will only become clear over the coming days as we are able to take stock of how rapidly the fixes have been able to be implemented and whether the resulting business interruptions have exceeded the policy waiting periods – and if so, by how much.
“Certain segments of the market seem to have been impacted more than others. For example, Australia experienced the worst of the impact during their working day, potentially leading to more significant ongoing consequences. Similarly, the Air Transport sector, which typically takes longer to recover from outages, is also heavily affected. At Howden we maintain an industry exposure database for the Cyber market, covering around USD 9 billion (or 65%) of gross written premium. Our data suggests that Australia accounts for just over 2.5% of Cyber GWP, and the Air Transport sector (including airlines, airports and couriers) a little under 0.5%, with exposure figures [limit deployed by insurers] broadly in line with this.
“Given that this is a non-malicious cyber event caused by a failed patch from a third-party vendor, it may trigger Systems Failure Business Interruption-type insuring clauses, subject to waiting periods typically in the region of 8-12 hours.”
Those clauses can be critical and we know are relevant to some cyber cat bonds, as they provide cover to writers of cyber policies that feature a waiting period before coverage becomes available in certain scenarios.
Harriet Gruen, Head of Cyber Threat Intelligence at Howden Re, also said, “As the (re)insurance industry continues to assess the full implications and root causes of this mass IT outage, the incident reveals far-reaching dependencies inherent in global digital infrastructure. Recent years have seen a dramatic improvement in our industry’s understanding of cyber risk, leading to more nuanced insurance coverages. However, this incident underscores the evolving nature of cyber and IT risks and the need for continued investment in developing more sophisticated exposure management tools and techniques.”
Reinsurance broker Guy Carpenter also commented, saying that, “Cyber insurers should use this event to evaluate policyholder supply chain dependencies, assess the potential for aggregation across commonly used technologies, and recalibrate risk tolerances accordingly.”
Guy Carpenter highlighted those waiting periods for business interruption as well, saying, “Cyber insurance provides for broad coverage of business interruption resulting from network outage. The trigger for this coverage includes System Failure resulting from non-malicious acts, including human error. That coverage extends to Contingent Business Interruption (CBI) caused by an outage of a vendor on which an insured relies to operate its network.
“Critical for evaluating network interruption claims will be the policy waiting period for which the network must be impaired before the policy responds. Typical cyber waiting periods vary depending on industry class and organizational size with 4–12 hours being most common.
“CBI losses arising from a widely deployed technology present reinsurers with an acute risk for unexpected aggregation. Technologies with large market shares create potential single points of failure that can lead to systemic events yielding claims from a large number of insureds.”
In terms of any reinsurance market impact, Guy Carpenter explained, “System failure losses will be in scope for traditional proportional and aggregate structures, which respond to all causes of loss. In recent renewal cycles, buying behavior selectively shifted toward targeted catastrophe covers, many of which respond to specifically defined catastrophic scenarios.
“Event-based products and the definitions behind them are unique to the cedent’s view of risk and how coverage was negotiated. Recoveries from event-based products will differ based on how each underlying wording differentiates coverage between malicious and non-malicious cyber incidents. As this incident progresses, Guy Carpenter will clarify its impacts on the assumptions around tail risk and the overall USD 15.5 billion global cyber industry moving forward.”
Another area to watch out for claims leakage is D&O coverage, as Guy Carpenter warned late on Friday, “We may see implications on the D&O towers for companies both involved in or impacted by today’s incident.”
While across property and casualty insurance, the reinsurance broker also said, “With the continued integration of information technology and operational technology, insures must also consider the physical consequences that may arise from technology failures. Potential exposure for P&C policies will depend on how insurers address cyber as a peril and whether the policy includes a “silent cyber” exclusion. Policies remaining silent on cyber risk may be exposed to ensuing bodily injury or property damage as a result of cyber-related system failure.”
Finally, cat bond specialist investment manager Icosa Investments AG also commented on the CrowdStrike IT outage on Friday, saying, “Today’s extensive IT system failures worldwide highlight the critical interdependence between IT and cloud infrastructures and the real economy, demonstrating how a single glitch can incapacitate airlines, hospitals, banks, and hotels at the same time causing huge revenue losses for these companies. Currently, no estimates have been provided regarding the insured losses from today’s outage as the incident is still ongoing, but projections in the hundreds of millions certainly seem plausible. This raises pertinent questions about the repercussions on cat bonds.
“Over the past year, several cat bonds covering cyber risks have been issued, and it will be intriguing to see if any of today’s losses impact the cat bond market. At Icosa Investments, we have not invested in these instruments, primarily due to our concern that cyber risk might reintroduce correlation to financial markets to our cat bond portfolios.”
Friday’s cat bond pricing sheets were likely too early for any meaningful insights to be available into the potential for any accumulation or aggregation of losses under cyber policies or elsewhere, for cyber cat bond valuations to be affected by the CrowdStrike event.
Overall, the CrowdStrike, or CrowdOut, event raises all kinds of questions for the insurance, reinsurance and catastrophe bond market, with answers likely to come in slowly as the ramifications become clearer, claims get filed and counted over the coming days.
How much the effects of the outage linger through the new week will also be critical, as that could exacerbate and increase business interruption and CBI claims.
At this stage it’s clear there are ongoing issues in some sectors and for smaller enterprises, suggesting the ultimate financial costs of the IT outage will continue to rise through the coming days.
Given how new the cyber catastrophe bond market is, we hope that sponsors will quickly provide updates to investors on their losses of relevance, to help them in understanding whether this event is any threat to those notes that are in-force.
Sponsors should fairly rapidly be able to tell how losses are divided across claims that could be applicable to the cat bonds reinsurance contract terms, or not and given the level of uncertainty and nerves that have been evident, it would be beneficial to provide clarity as soon as it’s available.
Cyber reinsurance uptake has been accelerating, especially for cyber catastrophe event covers, which is where the cyber cat bond market has come in to support sponsors needs.
This is the first potential cyber catastrophe event since the cyber cat bond market sprang to life, so it’s an opportune time to further ILS investor education and help them to understand whether the CrowdStrike outage really was a threat to cyber ILS arrangements, or not.
Providing some clarity and educational insights will also help to ward off any concerns about the customised nature of cyber policies and how long reporting after an event could actually take.
One question we’ve always been asked about cyber risk, in a cat bond context, is just how long loss development might take and whether cyber catastrophe events could have a particularly slow-burn, resulting in trapping of capital for prolonged periods. This event is an ideal test of terms, wordings, processes, and reporting, and the results should be made widely known, once available. That can only benefit the nascent cyber cat bond and ILS marketplace.
Finally, it’s worth noting that, an event like this may serve to heighten awareness of the availability of cyber insurance coverage, cyber reinsurance and also stimulate protection buyers to increasingly be more receptive to event-based cyber reinsurance and retrocession going forwards.
Luke Foord-Kelcey of Howden Re said that, “Greater awareness of the systemic nature of cyber risk – and growing market consensus on what constitutes a systemic cyber catastrophe loss – has spurred significant interest in cyber cat structures, with continued product uptake observed in 2024.
“This mass outage will only serve to accelerate the interest in cat-focused reinsurance programmes.”
Summing up.
The global IT outage caused by a corrupt update pushed out by CrowdStrike has ramifications for how we think about cyber and digital risk and where the insurance or reinsurance market can find itself exposed to it.
It highlights that there are tiny, discrete packages of software code that can have significant worldwide effects if they go wrong and when you start thinking about the interconnectivity of our digital systems it is easy to find many similar possible single points of failure.
In cat bonds, the event also highlights that there continues to be uncertainty over what cyber cat bonds actually cover and how quickly the market will know after a cyber catastrophe event whether it faces any losses or not.
As a result, it’s a reminder that the industry needs to further educate on cyber risk in ILS form, while also providing a good test for the cyber cat bonds that have been issued so far, including processes for sponsors and arrangers to provide information to investors after a potential event.
In general, we’re not hearing of any specific concerns over this becoming a particularly major insurance and reinsurance market loss this morning, although one source said it has the potential to be classed a cyber catastrophe and be in the ten most costly in insurance terms.
A number of equity analysts have said they do not expect the large cyber insurers to be overly affected, but we’ve seen a number of commentators say they do expect reinsurance to respond in some cases.
It’s worth noting that rating agency AM Best recently said that improved clarity on systemic risks can encourage more cyber ILS capacity.
That statement seems especially pertinent after Friday’s events.
Prior to publication we also spoke with Tom Johansmeyer, Global Head of Index Classes at broker Price Forbes Re.
Johansmeyer has spent considerable time and effort studying cyber catastrophe events and looking into their causes, ramifications, potential for re/insurance market impacts and how they differ to other insurance market catastrophe events.
Johansmeyer noted on this CrowdStrike outage, “The risk of a runaway loss — economic or insured — is constrained by two things. First is the speed of remediation. Cyber events are easier to fix, effectively, than the effects of natural catastrophes. Additionally, there is the question of economic damage — what is destroyed versus merely deferred. The inconvenience from the cyber event is certainly noted, especially for those stuck at airports. But the inconvenience dissipates fairly quickly, unlike the five days Hoboken stayed dark after Hurricane Sandy.
“Although it’s tempting to talk about the societal disruption from such a widespread event, time is likely to show the contrary. There’s considerable empirical evidence to show that cyber disruptions (let’s be sure not to call this one an attack) are short-lived, particularly in comparison to nat cat.
“While there are certainly lessons to be learned and improvements to be made, it’s important that we respect the context of this outage. There’s no basis for comparing it to a hostile act from a state or state-like actor, and the “what if someone does this on purpose?” question is packed with assumptions that have no foundation in this event.”
Johansmeyer also said that events such as this are actually, or should be, of greater concern to the re/insurance industry and ILS market, as “It’s hard to engineer a widespread outcome.”
Friday’s global IT outage showed that a widespread outcome is entirely possible when a key piece of widely used software creates the issue, especially one with such privileged access to core operating system software routines.
We suspect there will be more clarity available on the potential re/insurance industry impacts of the outage in the coming days and will update you.
Read about every cyber cat bond transaction, including the first private cat bond deals and the more recent 144A cyber cat bonds, by filtering our Deal Directory by peril to view only cyber cat bond transactions.
