The outage might cost Fortune 500 companies up to $5.4bn in revenue and gross margin, said cloud monitoring and insurance company Parametrix. That doesn’t include secondary losses that could be attributed to lost productivity or reputational damage. And only a small portion, around 10%-20%, are likely to be covered by cybersecurity insurance policies.

The healthcare and banking sectors were the hardest hit by the incident, with estimated losses of $1.94bn and $1.15bn, respectively, according to Parametrix. Fortune 500 airlines such as American and United were also hit hard, with loses of some $860m.

According to Fitch Ratings, preliminary market estimates of global insured losses of between $1bn and $10bn would not result in a significant impact for (re)insurers. Several mechanisms will limit insured losses, including lack of insurance coverage, high deductibles, sub-limits and time periods for business interruption claims. Most business interruption claims resulting from cyber events have time periods ranging from eight to twelve hours.

Single point of failure risks, as in the Crowdstrike case, highlight the challenges of cyber risk modelling, according to Fitch Ratings, as the frequency of events is low but the potential severity can be high, depending on the duration of outages, aggravating events and the uncertainty of repair costs and liability exposure. The wider development of the cyber risk transfer and securitisation market requires further product maturation, including greater standardisation of coverage terms and policy language, price discovery and risk modelling applications.

In a blog post, Crowdstrike said the test and validation system that approved the bad software update appeared to be working normally for other versions released earlier in the year. It is developing a new control for its validation system to prevent this type of “problematic content” from being deployed in the future.

This article in French.