The great George Box’s aphorism “All models are wrong, but some are useful” has been a guiding principle of my work for years, and is as true today as ever.

‍

When the dust settles from the CrowdStrike outage, we will learn how well the Parametrix financial loss model performed in predicting the impact of the CrowdStrike outage. We believe that our model will not only prove to be “useful”, but it will also provide the following insights that will drive modeling and management of cyber catastrophe risk going forward:

‍

1. The Cloud - The cloud is a key element of IT infrastructure. While its breakage is a key source of systemic risk in cyber insurance portfolios, we witnessed something different with the CrowdStrike outage. The software was automatically updated through the cloud which caused the bug to quickly spread through systems worldwide. Rather than a broken piece of infrastructure being the problem, the infrastructure acted as a conduit for the problem.
   ‍
2. Diversification - Diversification means different things for different risks. When managing the risk of cloud infrastructure failure, cyber insurers can obtain diversification by insuring companies with different cloud service providers  and cloud regions. When modeling malware or software malfunction, diversification can be found in varied third-party services used by the insureds in a given cyber insurance portfolio. If many insureds are relying on the same piece of third-party software, like what we saw with the CrowdStrike outage, it becomes a source of risk accumulation.
   ‍
3. Distinct Risks - The failure of the cloud impacts sources of revenue in a way different to cyber-security software malfunction causing Microsoft Windows OS to fail. Not only does it impact different operating units within a company, but it will cause different types of companies to fail. Modeling distinct risks requires the ability to make distinct assumptions on the portion of revenue impacted by the event as well as for the impact of the duration of the event.
   ‍
4. Cloud Use - While the cloud was the channel through which the bug was able to propagate quickly, companies that access the CrowdStrike software through the cloud were able to fix the issue more quickly than those accessing it through on-premise installations. A given risk factor often can play subtile role in a model where it’s net impact is not always known ahead of time.
   ‍

Parametrix’s deep understanding of system downtime enabled us to build a modeling framework that can  quickly and easily be adapted to the insights gained from events like the CrowdStrike outage, allowing these points to form the foundations of a robust risk management structure for catastrophic cyber insurance risk.

These insights and more can be found in Parametrix’s analysis CrowdStrike’s Impact on the Fortune 500.