CrowdStrike meltdown may shore up cyber insurance premiums
Insurers are refining their policies after the global tech outage to better manage risks.
A worldwide tech outage that crippled industries from airlines to banks and caused billions of dollars in corporate and economic losses in July could spur rising cyber insurance premiums to cover not just hacking but also nonmalicious incidents, insurance analysts said.
The global digital meltdown caused by a CrowdStrike software update that went awry is also likely to cause insurers to further refine their policy exclusions and limitations to better manage risks.
“This incident may exacerbate capacity constraints, making comprehensive coverage more challenging to secure for high-risk industries,” Lee Yen Teik, a senior lecturer from the National University of Singapore Business School’s Department of Finance, told Insurance Asia.
“A tiered pricing structure may become more prevalent, where premiums are closely aligned with an organisation's cybersecurity maturity — rewarding robust defences and penalising weaknesses,” he added.
The CrowdStrike incident is amongst the largest cyber events in recent history, with projected direct losses exceeding $5b amongst Fortune 500 companies alone, Carmel Green, a partner at Reynolds Porter Chamberlain (RPC), separately told Insurance Asia in an interview.
The event has prompted underwriters to reassess their risk appetite, particularly concerning business interruption and system failure coverages, she added.
“The incident has given rise to service disruptions and reputational damage,” Green said. “The impact on the airline and transportation sector is a typical example. Financial services, including banks and other institutions reliant on continuous IT operations, have similarly felt the repercussions.”
The global IT outage caused by a defective CrowdStrike update designed to protect Microsoft Windows systems grounded flights and left thousands of passengers stranded at airports, caused delivery delays and closed stores and amusement parks.
Retailers and e-commerce companies grappling with operational challenges might have experienced revenue losses and reputational harm.
The Asia-Pacific region’s share of gross premiums written on cyber insurance that covers cyber-related losses is lower than in North America and the combined markets of Europe, the Middle East and Africa — 6% versus 56% and 37%, respectively.
But its cyber insurance market is one of the fastest-growing in the past five years, according to S&P Global.
The region’s compound annual growth rate for primary cyber insurance and reinsurance for 2018-2022 was 51.2% and 43.4%, the rating company said.
Cyber insurance policies vary across the different markets in the Asia-Pacific region, influenced by factors such as economic development, regulatory frameworks and market demand.
In developed markets like Singapore, insurers typically offer more comprehensive coverage, which is mandated by stringent regulations such as the Personal Data Protection Act.
“This includes not only standard provisions for property damage and loss of income, but also cyber-specific extensions like cyber extortion and data restoration, which are essential given the high digital penetration in these economies,” Lee said.
In emerging markets, cyber insurance products are more basic. But as these markets become more technologically advanced and face rising cybersecurity threats, there is likely to be a shift toward enhanced regulatory frameworks and broader insurance coverage.
Expanded coverage
Green said the CrowdStrike tech outage showed how businesses of all sizes have become more vulnerable to these types of events.
“Increased pressure on businesses to maximise profitability and efficiency means increased reliance on technology and, in turn, an increased risk of major failures and disruptions, particularly due to the existence of single points of failure,” Green added.
She noted that because of the changing threat landscape, a company’s cybersecurity and operational teams must ensure that systems can manage and respond to unexpected disruptions swiftly and effectively.
Lee said the interconnected nature of modern digital ecosystems complicates liability determination and introduces complex multi-party involvement in the event of a tech outage.
The cascading effects of such incidents could severely affect not just businesses but also the broader supply chain, leading to substantial financial losses and reputational damage, he pointed out.
The frequency of tech outages due to cyber incidents has declined, but their financial costs have become more pronounced, according to the New York-based Uptime Institute.
Green said more than two-thirds of tech outages between 2022 and 2023 led to more than $100,000 in losses. This is expected to persist as businesses increasingly rely on digital infrastructure and as cybersecurity becomes a cornerstone of modern business resilience.
“Looking ahead, as digital threats continue to broaden, insurers are expected to further broaden their coverage to include emerging risks such as cyber warfare and attacks on critical infrastructure,” Lee said.
“These anticipated changes ensure businesses can withstand and quickly recover from a wide array of digital disruptions,” he added.