Focus on insured loss from CrowdStrike outage overlooks one key issue
Though the response and resilience of the cyber market is important, what is more critical is how risk teams proactively deploy resources to avoid large BI losses in future.
A report last week from HowdenRe on the CrowdStrike outage puts insured losses from the incident in the range of US$1bn, making it the costliest incident on record for the cyber market. It also points out that with the growth of the market’s premium base over the past ten years, it is in a strong position to absorb these losses. This, the report suggests, is proof of the growing resilience of the market, which will strengthen further, as this premium base increases in the coming years. Many have, probably correctly, also suggested that the outage has heightened risk awareness of business interruption, especially at board level, and by extension will fuel additional demand for cyber insurance. Though, to be fair, cyber has long been listed in board and CEO surveys as a ‘top three’ business risk.
Insurable Loss vs. Economic Loss
On the question of ‘losses’, there’s an important distinction. The figure the market is understandably focused on are potential insurable losses. That’s also weighing on risk officers considering their exposure to this event or one like it. But increasingly for C-suites and shareholders, the CrowdStrike outage also raises the issue of how to better understand and measure total economic loss due to technology risk, not just insurable loss.
One source put the economic loss at $5.4 billion for Fortune 500 companies. Delta’s CEO Ed Bastian said he expects Delta to take a $500 million hit for the disruption, $380 million of which was attributed to revenue loss. This is perhaps at the outer edge of the economic loss range on a per-company basis. But it does suggest that the projected economic loss figure of just less than US$6bn in aggregate – when accounting for lost productivity – is an underestimate.
The response and resilience of the market is important, and there are positives to take away from it, even three weeks removed. But what is more important is how risk teams prepare for recovery and contingency planning and the proactive resources they deploy to avoid BI losses in future – be they from an outage or an attack. With no safety net in place, this becomes even more important.
Boards and C-suites are now asking if their company is doing enough to mitigate losses of a business interruption event like CrowdStrike. As of right now, nobody has a good answer.
Answering the economic loss question
Most large organizations today use hundreds of technology vendors. The interdependences of each of these IT suppliers amounts to one massive digital Jenga tower.
Figure 1. Market not equipped to price the digital Jenga towers of today
Contrary to a lot of the market commentary about loss mitigation and resilience in the wake of this outage, there is not yet an accepted framework to measure the economic loss question, much less predict the likelihood of an outage-induced BI event. For CrowdStrike, we’ll never know the actual total economic loss.
The market today is not equipped to price the risk of corporations’ digital Jenga towers. This is because the way technology risk has been modeled by the market simply has not kept up with the speed and complexity of digital transformation let alone the constantly changing tactics of attackers. It is the most dynamic business risk we’ve ever known. Suffice to say, it isn’t well suited to the market’s current approach of measuring it one time annually at insurance renewal. It demands continuous measurement of the risk.
One lesson companies should avoid drawing from the CrowdStrike incident is to have a singular focus on constructing risk programs around a single catastrophic event. Instead, risk teams would do better to allocate more resources towards the much higher frequency attritional events that are more manageable if accurately identified and assessed.
The Intangic CyFi™ Platform is helping risk teams better frame this question as an overall business risk versus only as a cyber risk, including the quantification of economic loss. It brings back-tested empirical data to the economic loss question, not hypothetical scenario-based models. As such, the platform demonstrates how risk and security teams can allocate resources to actively manage the risk better and prevent an otherwise avoidable large loss.