The vast majority of damages from last month’s CrowdStrike Holdings Inc.’s global IT outage will go uninsured, according to new estimates from Guy Carpenter and CyberCube Analytics Inc.
The days-long cyberincident — which grounded planes, shuttered businesses and stopped markets — cost Fortune 500 companies about $5.4 billion in damages, according to insurance company Parametrix. But insured losses are expected to be far less than that. Reinsurance broker Guy Carpenter estimated this week that insured losses will range from $300 million to $1 billion, while the risk analytics firm CyberCube puts that figure between $400 million and $1.5 billion.
The forecasts signal a relatively muted insurance response to one of the biggest cyber incidents. In its latest earnings report, CrowdStrike reported a total of nearly 24,000 enterprise customers, including nearly 60% of the Fortune 500. But, according to Guy Carpenter’s estimates published on Thursday, fewer than 1% of global companies with cyber insurance saw an impact from the outage.
“There are some uninsured or underinsured companies suffering impacts at a wide range of severity,” Erica Davis, global co-head of cyber at Guy Carpenter, told Bloomberg News, adding that other factors, including the relatively short duration of the outage, are also likely to widen the gap between actual damage and insurable damage.
Since the outage began with a botched software update rather than a cyberattack, the non-malicious nature of the incident will also limit the scope of coverage, Guy Carpenter said. CyberCube added that while the IT crash was a major event for cyber insurers, “it does not come close to the destructive potential that leading insurers are holding capital against.”
Marsh, the world’s largest insurance brokerage, had over 75 clients warn of potential cyber claims on July 19, the first day of the outage, Bloomberg previously reported. That number has since passed 200, said Meredith Schnur, Marsh’s cyber practice leader for the US and Canada.
Delta Air Lines Inc., which was dealt a notably harsh blow, has since hired attorney David Boies to seek possible compensation from CrowdStrike and Microsoft Corp. for the incident, which cost the airline $500 million, Chief Executive Officer Ed Bastian told CNBC this week.
Although lawyers are circling, estimates suggest “a sizable but manageable insured loss,” Guy Carpenter said in its report this week.
