Back arrow
Blog August 1, 2024

“What’s our number?”: Responding To Your Exposure to CrowdStrike Outage Event

by Andrew Correll

Is cyber risk insurable? That question is often at the heart of the debate about the future of the cyber insurance industry. One of the primary drivers of that question is the insurance industry’s challenges when managing systemic cyber risk since many believe that systemic cyber risk has the potential to bankrupt the industry. While there hasn’t been a catastrophic cyber incident that has proven the skeptics right, there have been several close calls.

The latest close call – Global CrowdStrike outage

Recently, a widespread outage impacted CrowdStrike Falcon, affecting the global supply chain. While we won’t delve into the specifics of this outage, we will use it as an example to highlight the importance of understanding your insureds’ Supply Chain risk in managing systemic risk exposure. The global outage is a stark reminder of the fragility and systemic “nth-party” concentration risk inherent in the technology that underpins your insureds’ operations — airlines, banks, telecoms, stock exchanges, and more. Our reliance on technology creates massive single points of failure, leading to widespread disruption when these systems falter.

Recent research by SecurityScorecard, in collaboration with McKinsey & Company, highlights and quantifies this type of concentration risk. The findings emphasize that a significant portion of the global external attack surface is controlled by a relatively small number of tech providers and nth parties. This issue is not diminishing; in fact, we are only beginning to grasp the potential for chaos caused by this concentration.

“SecurityScorecard’s supply chain data has been useful in helping Sompo identify policyholders that could have relationships with specific technology vendors.” – Lee Stauss, Vice President of Cyber Risk Engineering at Sompo International

What’s our number?

That is the question that Global Heads of Cyber and Chief Underwriting Officers are getting from C-suite executives and their Boards of Directors in the aftermath of the incident. Put another way, what are the losses being forecasted relative to this event? When you’re insuring tens or even hundreds of thousands of businesses worldwide, that can be a difficult question to answer. 

Some insurers ask about critical vendors on insurance applications, but limit it to the Top 5. That doesn’t paint the entire picture when 75% of companies have up to 30 vendors in their digital supply chain. That data tends to be unstructured as well rendering it useless for forecasting exercises.

Other insurers rely on estimates of market share of particular vendors or software providers, but often those estimates are erroneous or overstated. Not to mention that if your particular book of business has concentration in particular industry verticals, you run the risk of over- or underreporting. The guesswork greatly impacts your ability to reserve and forecast losses. A single percentage point can translate to millions of dollars.

“While progress has been made around assessing the cybersecurity practices of single risks, supply chain impacts often remain obscure until the claims begin.” – Andrew Shaughnessy, Director of Cyber Risk Services at Converge Insurance

Respond confidently and accurately 

In partnership with the insurance industry, we were able to help identify over 7,000 policyholders worldwide affected by the incident totaling countless millions of dollars in exposed limits. This conclusion was obtained using Automatic Vendor Detection, which provides a Software Bill of Materials (SBOM) for each insured in a book of business, as well as the insured’s third-party, fourth-party, and Nth-party ecosystem.

To understand the impact of this event, we compiled a comprehensive view of companies worldwide that utilize both CrowdStrike and Microsoft operating systems. That exposure footprint can then be cross-referenced with a portfolio of insureds. With these insights at hand, cyber insurance leaders are better informing their loss picks and reserves around the incident which led to less sweating and scrambling to answer “What’s our number?”. 

SecurityScorecard’s ability to detect which companies in our portfolio were affected by the Crowdstrike incident allowed us to confirm our theoretical conclusions.” – John Butler, Cyber Product Lead at E-Risk Services

To learn more about improving portfolio performance, visit insurance.securityscorecard.com