Sharing preliminary loss estimates from CyberCube
By the CyberCube Cyber Aggregation Event Response Service (CAERS) team
CyberCube’s cyber catastrophe model estimates preliminary insured losses from the July 19 CrowdOut event for the standalone cyber insurance market at between $400mn and $1.5bn, representing a roughly 3-10% loss ratio impact on global cyber premiums of $15bn today.
This scale of loss could make the CrowdOut event the largest single insured loss event in the history of the affirmative cyber insurance industry over the past 20 years. At the same time, an event of this scale does not come close to the extreme scenarios currently being modeled by cyber insurers and reinsurers.
Based on CyberCube’s current estimates, the event represents a loss somewhere between the 1-in-2 and the 1-in-6 year industry loss return periods according to the company’s cyber catastrophe model and industry exposure database. CyberCube’s Portfolio Manager product, which is used by 30 of the 40 largest US and European cyber insurers, shows far more destructive scenarios that can reach loss ratios of 234% in more extreme events at 1-in-200 year return periods. As such, the CrowdOut event is a major event for the cyber insurance market but does not come close to the destructive potential that leading insurers are holding capital against.
Although relatively muted in estimated insured loss numbers, this event will provide strong material for counterfactual analysis to validate model credibility. For example, had this event been a malicious attack that deployed ransomware bricking a large number of computer systems the losses would have been far worse.
CyberCube’s current estimates are provisional and based on the best information we have available, as the event is still unfolding, with a relatively significant percentage of systems yet to be restored. Each insurance carrier’s claims experience depends on some pivotal criteria relating to the characteristics of their specific portfolio including coverage for non-malicious system failure, contingent business interruption (CBI), and the makeup of insureds in that portfolio. While each insurance portfolio will substantively differ in these respects and as such it would not be accurate to apply cyber insurance market share allocations to reach an individual carrier’s loss potential, we expect carriers to see disproportionate losses in portfolios that have significant large corporate exposures.
For example, the time to recover systems varies widely - affecting the applicability of business interruption coverage. Business Interruption ‘waiting periods’ or time-based deductibles are usually 8 to 12 hours, but can range between 6 to 24 hours. The time required to recover systems varies greatly between large and small companies due to both their IT remediation capacity and also the complexity of their respective IT infrastructure.
The non-malicious nature of the event also affects the insurance coverage that is triggered in policies. This means that contingent business interruption from ‘system failure’ will likely be the loss trigger. This coverage may not be offered as standard in many policies and where offered, will often be sub-limited.
CyberCube is dedicated to the quantification of cyber risk. In analyzing the event for our clients, we applied our unique views on Single Points of Failure technology dependencies. CyberCube’s estimates include losses from insureds who are directly impacted as they were reliant on CrowdStrike Falcon and Microsoft Operating Systems (e.g., airlines, financial, healthcare, etc.), as well as a much larger number of secondary impacts - or companies relying on SPoFs that run CrowdStrike (e.g., payment systems, SaaS providers, etc.)
CyberCube's Cyber Aggregation Event Response Service (CAERS) was activated as a result of the CrowdOut event.
CAERS provides up-to-date intelligence on major cyber catastrophes worldwide as they unfold to ensure CyberCube clients have information that is relevant and tailored to the insurance market. CyberCube will continue to monitor this developing event and provide support for customers in calculating the impact on their own cyber insurance portfolios.
Read more about the fallout of the event in our blog — Five Lessons Learned from the CrowdStrike Outage.