photon_photo - stock.adobe.com
Fortune 500 stands to lose $5bn plus from CrowdStrike incident
The largest global organisations hit by the CrowdStrike-Microsoft incident on 19 July will likely be out of pocket to the tune of billions of dollars
The total direct financial loss faced by Fortune 500 companies as a result of the 19 July Microsoft-CrowdStrike outage has been set at approximately $5.4bn (£4.18bn), at an average weighted loss of $44m per organisation, rising to close to $150m for the most heavily affected, such as airlines.
This is according to cloud monitoring, modelling and insurance services provider Parametrix, which said that for many Fortune 500 organisations, the impact would be heightened because their large risk retentions and low policy limits relative to potential losses means the portion covered under cyber insurance policies is likely to amount to no more than 10% to 20% of the total loss.
Parametrix analysis found the largest direct financial loss is likely to fall on those in the healthcare sector – down $1.94bn cumulatively, followed by banking – down $1.15bn. This accounts for 57% of the total loss, but only 20% of Fortune 500 revenues due to the uneven impact of the event.
For example, the firm’s analysts said that manufacturing, the largest Fortune 500 segment by revenue, will suffer a relatively trivial loss of just $36m compared with its annual revenue of $3.4tn across 130 organisations, while the six airlines represented on the list will be out $860m against total revenues of $187.1bn.
Parametrix said about a quarter of Fortune 500 organisations were impacted in the incident, caused by a coding error in a CrowdStrike update that threw computers into a boot loop and brought systems crashing down. This includes all six of the Fortune 500 airlines and 43% of retailers. Meanwhile, three-quarters of health and banking firms will suffer direct costs.
“Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries,” said Jonatan Hatzor, co-founder and CEO of Parametrix.
“It tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimise the potential impacts of systemic cyber risk. However, our analysis does not show the whole diversification picture. A cyber insurer focused on very large companies will certainly suffer a much greater CrowdStrike loss relative to premium than one with a large SME book.”
Timeline of the CrowdStrike incident
- 19 July 2024: An update to CrowdStrike’s Falcon service has led to many Windows users being unable to work this morning. Microsoft 365 is also affected.
- The Emis Web IT system used by more than half of GP practices in the UK is down, following the worldwide Microsoft outage.
- The global outage of Microsoft is rapidly sending shockwaves across all sectors, demonstrating the risk of having a single point of failure.
- A CrowdStrike update with a faulty sensor file has global implications for Windows systems. But competitors need to limit the finger-pointing in case it happens to them.
- As organisations recover from today’s outages, the cyber security industry will need to develop new security software evaluation criteria and requirements and learn to parlay risks.
- 22 July: About 8.5 million devices globally were hit by the botched CrowdStrike update, with a significant number now back online and operational.
- The concentration of so much mission-critical technology in the hands of a few large suppliers makes incidents like the Microsoft-CrowdStrike outage all the more dangerous.
- Financially motivated cyber criminals are already conducting opportunistic attacks on organisations that leverage the CrowdStrike incident, and more targeted attacks are sure to follow.
- 23 July: The ‘blue screen of death’ signals a catastrophic Windows failure, which is exactly what many people faced on 19 July 2024 – but why did it happen? One former Microsoft engineer has a theory.
- Disaster recovery has centered on cyberattacks the past few years, but the CrowdStrike outage illustrates why companies can't forget about traditional business continuity.
- Enterprises that emerged unscathed from the roll-out of the botched CrowdStrike software update are being urged to view it as a wake-up call rather than a lucky escape.
Beyond financial losses, the impact of the downtime on critical services resulted in a highly visible cascade of operational delays affecting Fortune 500 companies and downstream entities.
Parametrix said it was likely that in terms of recovering systems, those industries that still rely heavily on physical computers will be the ones to experience longer recovery times – a point in favour of cloud services, it noted.
It said the overall impact of the outage was made more distinct due to CrowdStrike’s deployment both on-premise and in cloud environments.
Based on this, the firm forecast, cyber insurers should not necessarily rely solely on the event for modelling future cloud-based failures, but might try to better manage systemic outage risks through diversifying across industry sectors, service providers and company sizes.
“Prevention is important, but risk carriers have limited control over event occurrences and service-provider practices,” he said.
“The industry should focus on controllable areas, like mapping and managing aggregation risk. By understanding these points, we can evaluate key exposures, and mitigate both malicious and non-malicious threats. This proactive approach enables better underwriting decisions, and effective risk-transfer solutions to manage systemic risk.”
Single point of failure
More broadly, Hatzor echoed concerns already shared by other observers in the wake of the global outage – namely the prevalence of tightly bundled technology services that risk creating single points of failure.
“In today’s digital landscape, many businesses rely heavily on integrated systems and services, which, while efficient, can also leave them vulnerable,” he said. “When a critical component within a tightly bundled solution experiences downtime or fails, it can trigger a cascade of disruptions throughout the entire system.
“This interconnectedness means that a failure in one area can lead to significant operational disruptions, affecting everything from customer service to data management and financial transactions.”
Hatzor raised further concerns that both regulators and cyber insurers are not really prepared to address the complexities and risks of such systems. As so often happens, he noted, the rapid evolution of technology has outpaced the development of regulatory frameworks and risk assessment models, which leaves businesses exposed to gaps in insurance coverage or regulatory support when the worst comes to pass.
“This lack of preparedness can exacerbate the impact … leaving companies more vulnerable to prolonged downtime and financial losses,” he said.
CrowdStrike update chaos explained: What you need to know
A botched software update at cyber security firm CrowdStrike has caused IT chaos around the world. Learn more about the global CrowdStrike update outage as it develops with our expert guide. Meanwhile, TechTarget Security’s Risk & Repeat podcast discusses the fall-out from the outage.
