The Financial Impact of the CrowdStrike Global IT Outage

Last week's CrowdStrike outage, caused by a faulty configuration update, led to widespread system crashes across various business sectors. This disruption highlighted the critical vulnerabilities in modern digital infrastructure, affecting but not limited to airlines, healthcare, financial markets, television broadcasting, and emergency services.

Due to CrowdStrike's digital footprint, the outage's effects were felt globally. As CNN reported, major airlines like Delta, United, and British Airways faced disruptions, grounding flights and causing delays. Hospitals experienced data access issues, delaying surgeries and appointments, notably affecting the NHS. Stock trading was interrupted on markets like the London Stock Exchange. Emergency services, including 911 dispatch centers in several states, had to rely on manual processes due to coordination challenges.

While the CrowdStrike team worked swiftly to restore services, the incident underscored the interconnected nature of modern business operations and the cascading effects of a single point of failure.

Guidewire Cyence estimates that the ground-up business interruption losses from the CrowdStrike outage last week will likely land in the $1 to $3 billion USD range, with a best estimate of $1.7 billion USD.

The Costs of Business Interruption Due to Cyber Risks

Before diving in further, it's important to clarify the nature of the CrowdStrike outage. While traditionally not viewed as a cyber attack, this incident is classified within the cyber insurance industry as a "system failure" event. This type of event, caused by a non-malicious actor, still falls under the broader category of cyber incidents due to its impact on digital infrastructure and business operations. However, this event underscores the interconnectedness of our modern business landscape and dependence on technology and Internet systems, as well as the critical need for robust cyber risk management.

Business interruptions caused by cyber-incidents can have severe financial repercussions, including lost revenue, decreased productivity, reputational damage, and significant recovery costs. Even brief disruptions can result in substantial financial losses, especially during peak operational periods.

Cyber risks and business interruptions due to cyber incidents are the most significant global business risks, ahead of even natural catastrophes, based on a recent analysis by Allianz. The average loss cost for a mid-size business is $5,600 per minute during an IT outage, translating to over $300,000 per hour. An average significant event causes 18.5 hours of downtime for medium to large businesses relying heavily on their IT infrastructure for day-to-day operations.

The cyber risk landscape for global businesses and insurers is complex and ever-evolving. Companies that rely heavily on IT systems or on upstream vendors who do are caught in a race between cyber attack strategies and countering cyber defense methods. Cybercriminals continue to find novel ways to disrupt targets and/or monetize opportunities, employing increasingly sophisticated tactics, often leveraging advanced malware, ransomware, and phishing schemes to exploit vulnerabilities.

Companies must keep up with the latest detection and response methods while practicing good cyber hygiene to prepare for potential cyberattacks or system failure events. State-sponsored cyber incidents add another layer of complexity and danger to those working to assess and mitigate risk in the space.

The CrowdStrike outage is a stark reminder of how widespread these events can be and that no organization is immune, especially those who rely heavily on upstream digital product and service vendors to manage aspects of their operations. The increasing frequency and severity of cyber incidents underscore the need for a deeper focus on understanding and managing cyber risk across companies of all sizes in all regions.

Assessing Cyber Risk

Quantifying individual company risk is a real challenge for insurers, with many needing more data and analytical tools to set pricing and contract terms effectively. These challenges are multiplied when assessing aggregate portfolio risk at the insurance and reinsurance levels. There is a pressing need for statistically proven models and solutions that provide real-time insights and predictive analytics to help understand risk exposure and potential financial impacts from cyber events. This gap in risk assessment capabilities leaves both organizations and cyber insurance industry participants vulnerable. (See the Munich Re Cyber Risk and Insurance Survey 2024 for more information on this topic.)

Guidewire Cyence is a platform designed to help insurers and reinsurers quantify and manage cyber risk. By combining data science, machine learning, and economic modeling, Cyence provides a comprehensive understanding of the financial impact of cyber risks on businesses and portfolios. This innovative tool offers insurers guidance on how to offer more accurate pricing and coverage. It helps businesses better understand their risk profile and what can be done to improve their odds of preventing or mitigating the impact of cyber incidents, regardless of whether they are specifically targeted or caught up in an upstream digital supply chain event.

Cyence's capabilities are particularly relevant after incidents like the CrowdStrike outage. Its ability to estimate potential losses and assess risk exposure provides invaluable insights for insurers, reinsurers, and businesses.

As the threat environment evolves, businesses must prioritize cybersecurity, and their insurance providers must leverage advanced tools like Guidewire Cyence to ensure risk is mitigated as much as possible and the proper coverage can be provided.

For a full report from Guidewire’s Cyence on the CrowdStrike outage, email info@guidewire.com.