Discover the lessons from the CrowdStrike outage that risk managers and insurers can't ignore.
In July, a large technical outage impacted critical infrastructure in healthcare, airlines and banking. The event was caused by CrowdStrike, a cybersecurity solutions provider, inadvertently introducing a logic error into its software product Falcon. Here are the major takeaways for risk managers, cyber insurers, boards and cybersecurity professionals:
The CrowdStrike event was a paradoxical cyber failure—but that doesn't mean we should abandon basic cybersecurity principles.
Ironically, effective security measures can complicate users' experience so much that they become incentivized to find workarounds that undermine security. Alternatively, a layered security approach intended to provide depth of defense can introduce potential vulnerabilities if each layer is not managed properly.
The CrowdStrike Falcon event represented this paradox, which was not perpetrated by a malicious hacker but was caused by earnest efforts to improve cybersecurity. Abandoning endpoint detection and response (EDR) tools like CrowdStrike's Falcon, which are instrumental to an organization's cybersecurity, would be far riskier.
Bad code is harmful, but not the only thing compounding the issues of cybersecurity.
In his book “Fancy Bear Goes Phishing: The Dark History of the Information Age," Scott Shapiro notes that cybersecurity is not only shaped by computational code but also by powerful social, political and institutional codes that define the world around us, which Shapiro deems “upcode."
These include morality, religion, social norms, corporate policies and codes of ethics, and can be challenging to navigate. The attribution of a cyberattack goes far beyond any forensic computational proof because it is intertwined with political, legal, contractual and cultural rules.
One aspect of “upcode" that may need to change is governance concerning how software is created, implemented, sold and authenticated. One exciting recent development in this area comes from the U.S. government's National Cybersecurity Strategy, which urges that responsibility for cybersecurity should move from software users to software creators.
One proposed requirement is that all software vendors must attest that they developed their software in accordance with NIST 800-218, the Secure Software Development Framework (SSDF). While this would not necessarily have prevented the CrowdStrike event, it potentially mitigates vulnerabilities in published software and thereby complements and reinforces the cybersecurity practices deployed at the business level.
This event validates the cyber insurance value proposition.
Cyber insurance not only addresses losses but also provides real-time risk mitigation. And every systemic event lets insurers validate the value of their product offering.
While undeniably global, the CrowdStrike event caused one platform to impact one operating system—albeit a very large one with many users. Economic insurable losses from the incident are currently projected to be between $400 million to $1.5 billion. These losses, while significant, are perhaps less catastrophic than initially seemed likely. The reality is that the diversification of software and hardware inherently limits the contours of any single cyber incident.
In the future, the actual losses from the CrowdStrike event will be trued up against the projections and predictions of our industry, enabling us to improve predictive analytics. For now, payment of losses stemming from this event indicates that the insurance property understands the reality of the risk. We offer a product that we thought people would need; it turns out, they very much do.
Just as cyber risk is not specific to cyber insurance, cybersecurity is not separate from our insureds' businesses.
Finally, the world's dependency on digital technologies is not waning; it's increasing. Especially with the proliferation of generative artificial intelligence (AI), cybersecurity is increasingly a board-level issue. It would be foolish to think that the pervasiveness of technology has no impact on the suite of risk transfer products our customers buy.
All industry efforts to clarify insurance contracts come down to this simple observation: Cyber is a specific insurance product that covers many, but not all, aspects of the operational risk of a cyber incident; but “cyber" or “cyber risk" also can be a peril or a cause of loss for other non-IT functions of a business, potentially contributing to a U.S. Securities and Exchange Commission (SEC) investigation, a stock drop, a loss of life, a broken contract or a promise unfulfilled.
These losses will stick to traditional insurance products. It's time for the market to wake up to this reality—and start to orient around it. Boards, risk managers and underwriters must now gain a thorough grasp of firms' cybersecurity and technology strategies; better evaluate the impact of cyber incidents across departments and disciplines; and more accurately gauge businesses' exposure to technology supply chain risks.
Kelly Castriotta is global executive underwriting officer at Markel.
About Markel
We are Markel, a leading global specialty insurer with a truly people-first approach. As the insurance operations within the Markel Group Inc. (NYSE: MKL), we operate the Markel Specialty, Markel International, and Markel Global Reinsurance divisions, as well as State National, our portfolio protection and program services operations, and Nephila, our insurance-linked securities operations. Our broad array of capabilities and expertise allow us to create intelligent solutions for the most complex risk management needs. However, it is our people—and the deep, valued relationships they develop with colleagues, brokers and clients—that differentiates us worldwide.
To learn more about Markel, including our cyber insurance solutions, visit markel.com.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is" basis, without warranty of any kind. This document cannot be assumed to contain every acceptable safety and compliance procedures, or that additional procedures might not be appropriate under the circumstances. Markel does not guarantee that this information is or can be relied on for compliance with any law or regulation, assurance against preventable losses or freedom from legal liability. This publication is not intended to be legal, underwriting or any other type of professional advice. Persons requiring advice should consult an independent adviser. Markel does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, Markel does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content.
© 2024 Markel Service, Incorporated. All rights reserved.