Cyber Insurance Won’t Cover Billions In CrowdStrike Losses
One cyber insurance provider says affected companies may have to absorb 90% of their CrowdStrike losses.
Paul Shread July 25, 2024
Share on LinkedInShare on Twitter
The massive CrowdStrike outage will cost Fortune 500 companies more than $5 billion – and 80-90% of that won’t be covered by cyber insurance policies, according to cloud monitoring and insurance provider Parametrix.
Parametrix estimates that the outage that hit about 8.5 million Windows machines will cost Fortune 500 companies $5.4 billion – and that number doesn’t include Microsoft’s own costs in implementing fixes and getting machines back up and running.
“The portion of the loss covered under cyber insurance policies is likely to be no more than 10% to 20%, due to many companies’ large risk retentions, and to low policy limits relative to the potential outage loss,” the insurer said in a statement released today.
Smaller customers will make the total CrowdStrike losses even higher, and victims are unlikely to get much help from CrowdStrike, as the company’s terms and conditions limit damages to refunds.
Healthcare, Banking Hit Hardest by CrowdStrike Losses
Parametrix said a quarter of the Fortune 500 was impacted by the outage, which CrowdStrike has attributed to a bug in its validation software that allowed a faulty update to be released.
All of the of airlines in the Fortune 500 and 43% of retailer & wholesaler companies were hit by the flaw, which caused widespread Windows blue screen of death (BSOD) errors and required machines to be rebooted individually to be fixed.
Roughly 75% of health and banking sector firms suffered direct costs, totaling more than $1 billion for banks and nearly $2 billion for healthcare companies.
CrowdStrike Financial Losses by Industry (source: Parametrix)
Beyond primary financial losses, “CrowdStrike’s impact on critical services resulted in a cascade of operational delays affecting the Fortune 500 companies and their downstream entities,” the company said.
Parametrix concluded that traditional industries relying on physical computers experienced longer recovery times, “which underlines the resilience and rapid recovery of cloud-based systems.”
CrowdStrike’s Customer Outreach Efforts Fall Flat
Many cybersecurity observers have praised CrowdStrike’s forthright discussion of the event and its aftermath, but widespread outages that included thousands of machines in many affected environments have left customers feeling disaffected in many cases, and the company’s outreach efforts – which have included food vouchers in some cases – have been criticized as inadequate.
Microsoft security researcher Kevin Beaumont shared one image of a customer complaining that a $100 DoorDash offering was a paltry sum for an outage that hit more than 150,000 devices in the unnamed organization:
CrowdStrike DoorDash customer complaint
The annual Pwnie Awards gave CrowdStrike an early award for the outage (image below), just some of the snark and memes that have resulted from a top cybersecurity company making such a massive mistake.
CrowdStrike Pwnie Award