Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The insurance industry is braced for losses that could run into the billions after last week’s worldwide IT outage exposed the vulnerabilities of a global economy run on a handful of software platforms.
Industries ranging from airlines to retailers were thrown into turmoil on Friday after a botched update from security firm CrowdStrike triggered one of the biggest-ever IT outages, affecting more than 8mn devices reliant on Microsoft Windows software.
Cyber experts said it was a painful reminder of the systemic nature of cyber risk, and showed how an innocuous software update could cause as much disruption as a malicious cyber attack.
Aon, one of the world’s biggest insurance brokers, said the incident was likely to become “the most important” cyber insurance loss event since the NotPetya malware attacks of 2017, and had highlighted the “interconnected nature of software ecosystems”.
Some insurers have suggested it is too early to estimate the global insurance loss that will come, both from typical cyber policies — which often cover non-malicious business interruption or system outages — and from other areas, such as liability claims. “It feels inevitable there will be a series of claims,” said one senior insurance executive.
But others have put figures on the likely cost to insurers. Derek Kilmer, a professional liability broker at Burns & Wilcox, said he expected an insured loss upwards of $1bn, and it “could be much higher”. Will Davies, head of insurance at PA Consulting, reckoned insurers would see “hundreds, if not thousands of claims due to the outage” with estimated claims running into the billions.
$1bnLower end of insured loss from global IT outage, estimated by insurance broker Burns & Wilcox
Kelly Butler, UK cyber leader at Marsh, the world’s biggest insurance broker, cautioned that it was too early to quantify an overall loss, but said roughly 100 of its global clients had notified their insurers of potential claims. Most of these were for business interruption or system outage, she added.
The event underlined that there were “no borders” to a sweeping system outage, Butler pointed out. “It impacts globally, immediately, and laterally.” Marsh was “proactively” working with clients to help them track the costs related to the incident, she said.
There are two key factors that could limit the loss, experts said. First, there are waiting periods written into policies before the cover kicks in — typically, of around 6-12 hours. So a company that got back up and running during that time might not have a claim, or the amount that can be claimed may be significantly smaller. Second, certain policies provide more cover for cyber attacks than they do for IT outages.
Even so, Timothy Wirth, an executive general adjuster at claims management group Sedgwick, highlighted the range of sectors that will have business interruption losses from the incident. “There also remains the potential for property damage claims as well,” he said, “in the event that hardware may have been damaged or corrupted.”
Beazley, a leading cyber insurer, said in a trading update on Tuesday that its profit guidance for the year would not be affected by the global outage “based on what is known at this point”. Its share price rose on the update but was still below its level before the incident took place.
Analysts at Jefferies argued that last week’s event could become a positive catalyst for the company — and the wider sector — by acting as a “proof of concept” for cyber insurance and feeding demand.
Cyber insurance prices have fallen in recent quarters, after big jumps in the previous two years as a spate of ransomware attacks shook the market. Marsh’s Kelly said the market has been “stabilising” due to a recent spike in claims activity, adding: “I suspect that this incident will only [add to that].”