Parametrix, the leading provider of cloud monitoring, modeling, and insurance services, estimates that the total direct financial loss facing the US Fortune 500 companies (excluding Microsoft) from the CrowdStrike outage on 19 July is $5.4 billion. The portion of the loss covered under cyber insurance policies is likely to be no more than 10% to 20%, due to many companies’ large risk retentions, and to low policy limits relative to the potential outage loss. The weighted average loss is $44 million per Fortune 500 company, but ranges from $6 million (manufacturing companies) to $143 million (airlines).
In-depth analysis by Parametrix estimates that the largest direct financial loss will be suffered by Fortune 500 companies in the healthcare sector ($1.938 billion), followed by banking ($1.149 billion). Companies in these sectors take 57% of the loss, but account for only 20% of Fortune 500 revenues, due to the uneven impact of the event on business sectors. Manufacturing, the largest sector by revenue, suffered a trivial loss of just $36 million in total when compared to its annual revenue of $3.4 trillion across 130 companies, while the event cost the six Fortune 500 airlines approximately $860 million, against revenue of $187.1 billion.
A quarter of the Fortune 500 was impacted (125 corporations), including 100% of airlines in the cohort, and 43% of retailer & wholesaler companies. About three quarters of health and banking sector firms suffered direct costs. Beyond such primary financial losses, CrowdStrike’s impact on critical services resulted in a cascade of operational delays affecting the Fortune 500 companies and their downstream entities. A forthcoming Impact Analysis, CrowdStrike’s Impact on the Fortune 500, to be published imminently by Parametrix Analytics, concludes that:
- Traditional industries relying on physical computers experienced longer recovery times, which underlines the resilience and rapid recovery of cloud-based systems.
- Cyber (re)insurers can manage systemic risk through strategic diversification across industry sectors, service providers, and company sizes.
- The impact of the CrowdStrike outage was distinct due to its deployment both on-premises and via the cloud. Insurers should therefore not rely solely on the CrowdStrike event for modeling future cloud-based failures.
Parametrix unparalleled insight into the financial impact of the CrowdStrike event is based on:
- more than 54 billion data points, which together define the historical performance of cloud services,
- extensive expertise in system failures and business interruption losses, and
- direct monitoring of the real-time service status of 6,000 leading technology businesses, including a significant portion of the Fortune 500.
“Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries,” said Jonatan Hatzor, co-founder and CEO of Parametrix. “It tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimize the potential impacts of systemic cyber risk. However, our analysis does not show the whole diversification picture. A cyber insurer focused on very large companies will certainly suffer a much greater CrowdStrike loss relative to premium than one with a large SME book.”
He continued: “Prevention is important, but risk carriers have limited control over event occurrences and service-provider practices. The industry should focus on controllable areas, like mapping and managing aggregation risk. By understanding these points, we can evaluate key exposures, and mitigate both malicious and non-malicious threats. This proactive approach enables better underwriting decisions, and effective risk-transfer solutions to manage systemic risk.”
About Parametrix
Parametrix is the leading provider of cloud outage analytics and insurance solutions. We specialize in underwriting parametric insurance for system interruption, helping businesses protect against the costly impacts of downtime. Leveraging proprietary technology, we continuously monitor third-party IT services, gathering granular data on service performance and interruptions. This data enables us to assess risk accurately, provide instant insurance quotations, and streamline claims payments, ensuring our clients receive fast, reliable support when they need it most. Parametrix is a Managing General Agent and Lloyd’s Coverholder whose policies are backed by major A-rated global insurers. The company is based out of New York.