Brian A Jackson/shutterstock.com_2146981305
22 July 2024ArticleAnalysis

CrowdStrike Outage: The role of captives in mitigating impacts on NDBI and intangible assets

Captive insurers can  design insurance policies specifically tailored to cover cyber risks.

Captive insurers can  design insurance policies specifically tailored to cover cyber risks, especially for non-physical damage business interruption as seen in Friday's CrowdStrike outage writes Marcus Schmalbach.

On July 19, 2024, the cybersecurity industry was rocked by a significant incident involving CrowdStrike, a leading provider of endpoint security, threat intelligence, and cyberattack response services. A flawed update to their Falcon sensor software led to widespread disruptions, affecting millions of Windows machines globally. The fallout from this incident was profound, impacting critical sectors such as healthcare, aviation, and finance. The financial impact was enormous, with estimated direct and indirect costs running into billions of dollars. This included remediation expenses, lost productivity, operational downtime, and severe reputational damage. Insured losses might cover some of these costs, but uninsured expenses, particularly those associated with business interruption and intangible assets like brand reputation, are likely to be considerable. This incident underscored the urgent need for comprehensive cyber insurance coverage, particularly for non-damage business interruption (NDBI) and intangible assets. Moreover, it highlighted the pivotal role that captive insurance solutions can play in managing cyber risks effectively.

The Incident

The root cause of the problem was a detection logic update for the Falcon sensor’s Memory Scanning prevention policy, which caused an overload in CPU usage, leading to significant performance degradation and system crashes. Reports indicated that the update resulted in operational failures across various critical systems. Airports such as LaGuardia experienced baggage handling disruptions, while hospitals faced dire risks as machines used during surgeries required reboots, potentially endangering patient lives.

Global Impact

The global repercussions of the CrowdStrike incident were immediate and severe. Commercial flights were grounded, media outlets like Sky News went offline, and banking and healthcare services experienced significant disruptions. Emergency call centres also reported substantial downtime. Financial markets reacted swiftly, with CrowdStrike's stock plummeting by over 11% by the day's end, erasing significant market value and shaking investor confidence.

The financial implications of the outage are extensive. Direct costs include the remediation of affected systems, often requiring multiple reboots or manual interventions to delete problematic files. Indirect costs are even more significant, encompassing lost productivity, operational downtime, and severe reputational damage. Insured losses may cover some of these expenses, but uninsured costs, particularly those associated with business interruption and intangible assets such as brand reputation, are likely to be considerable.

The Importance of Cyber Insurance for NDBI

The CrowdStrike incident underscores the critical importance of cyber insurance, particularly for non-damage business interruption (NDBI). Traditional insurance models often fall short in covering the financial impacts of cyber incidents that do not result in physical damage but cause significant operational disruptions. Comprehensive cyber insurance can provide financial protection against these losses, ensuring business continuity and stability in the face of cyber threats.

Non-damage business interruption insurance is designed to cover losses resulting from events that do not cause physical damage to assets but still disrupt business operations. In the digital age, where cyber threats can cause extensive downtime and operational paralysis, NDBI coverage is essential. The CrowdStrike incident is a prime example of how a cyber event can lead to substantial business interruption without physical damage, making NDBI coverage indispensable.

Protecting Intangible Assets

Industries that rely heavily on uninterrupted digital operations, such as healthcare, aviation, and finance, were most affected by the CrowdStrike incident. This outage highlights the vulnerability of intangible assets like data, software, and intellectual property, which are increasingly central to corporate value. Traditional insurance policies often overlook these intangible assets, focusing instead on physical assets like buildings and machinery. However, in today’s economy, intangible assets often represent the majority of a company’s value, and protecting them through specialised insurance policies is essential to mitigate risks associated with cyber incidents.

Data, in particular, is a critical intangible asset that requires robust protection. The loss, corruption, or inaccessibility of data can cripple an organisation’s operations and result in substantial financial losses. Cyber insurance policies that cover data breaches, data recovery costs and business interruption due to data loss are crucial in safeguarding this valuable asset. Additionally, intellectual property, including patents, trademarks, and proprietary software must be adequately insured to protect against cyber theft and infringement.

How Companies Can Protect Themselves

To mitigate the risks of similar incidents, companies should adopt a multi-faceted cybersecurity strategy that includes advanced threat detection, comprehensive incident response planning and robust employee training programmes. Ensuring that systems are regularly updated and patched, conducting regular cybersecurity drills and simulations and implementing a Zero Trust architecture are critical steps in protecting against cyber threats.

Advanced threat intelligence services can help organisations stay ahead of emerging threats by analysing data from various sources and identifying potential risks. Endpoint detection and response (EDR) solutions provide real-time visibility into endpoint activities, enabling rapid detection and response to suspicious behaviours. These measures, combined with regular data backups and secure storage, can significantly enhance an organisation’s resilience to cyber incidents.

The Role of Captive Insurance Solutions

Captive insurance can play a crucial role in managing cyber risks effectively. A captive is an insurance company that is wholly owned and controlled by its insureds, primarily to insure the risks of its owners. This allows companies to create customised insurance policies that address specific risks unique to their operations, including those not typically covered by traditional insurance.

By self-insuring through a captive, companies can potentially reduce insurance costs, control premium expenditures, and benefit from underwriting profits. Captives also incentivise better risk management practices within the organisation, as the parent company directly benefits from reduced claims and losses. Additionally, captives can access reinsurance markets to spread the risk of large losses, providing additional financial protection.

Captive insurance solutions offer several advantages in the context of cyber risk management. Captives can design insurance policies specifically tailored to cover cyber risks, including those associated with NDBI and intangible assets. This ensures comprehensive coverage that addresses the unique exposures of the organisation. By self-insuring through a captive, companies can better control their insurance costs. Premiums paid to the captive can be retained within the organisation, and underwriting profits can be reinvested into further improving risk management practices.

Captives create a direct financial incentive for companies to invest in robust risk management practices. By reducing the frequency and severity of claims, companies can improve the financial performance of their captive. Furthermore, captives can access reinsurance markets to transfer a portion of their risk, thereby protecting against large and catastrophic losses. This provides an additional layer of financial security for the organisation.

Expanding on Prevention and Protection

Given the severity and widespread impact of the CrowdStrike incident, businesses must adopt a proactive stance toward cybersecurity. In addition to the measures mentioned above, companies should consider the following strategies to enhance protection and ensure rapid recovery from cyber incidents.

Utilizing advanced threat intelligence services can help organisations stay ahead of emerging threats. By analysing data from various sources, companies can identify potential risks and take preventive measures before an attack occurs. Implementing a Zero Trust architecture ensures that no entity, inside or outside the network, is trusted by default. Continuous verification of each access request, along with strict access controls, can significantly reduce the risk of unauthorized access. Deploying endpoint detection and response (EDR) solutions can provide real-time visibility into endpoint activities, enabling rapid detection and response to suspicious behaviors. EDR tools can isolate affected systems, preventing the spread of malware and facilitating swift remediation. Conducting regular cybersecurity drills and simulations helps prepare the organisation for real-world scenarios. These exercises test the effectiveness of incident response plans and identify areas for improvement. Evaluating and monitoring the cybersecurity practices of third-party vendors is crucial. Ensuring that partners and suppliers adhere to stringent security standards can prevent vulnerabilities from being introduced into the organization.

The Future of Cyber Insurance

As the digital landscape continues to evolve, so too must the approach to cyber insurance. Traditional models may no longer suffice in providing adequate coverage for the complex and dynamic nature of cyber risks. The integration of advanced technologies and innovative insurance models is essential for future-proofing businesses against cyber threats.

Parametric insurance, which provides payouts based on predefined triggers rather than assessed losses, can offer quicker and more transparent claims processes. For instance, a parametric policy might pay out if a certain number of systems are impacted by a specific type of malware, regardless of the actual damage assessed. Leveraging blockchain technology can enhance the transparency and security of insurance transactions. Smart contracts on blockchain platforms can automate claims processing, reducing the potential for disputes and ensuring timely payouts. Offering cyber resilience services as part of an insurance package can provide businesses with access to cybersecurity expertise, incident response teams, and continuous monitoring. This holistic approach ensures that companies are not only insured but also better prepared to handle cyber incidents. Encouraging collaboration and information sharing between businesses, insurers, and cybersecurity experts can improve the overall security posture. Shared threat intelligence and best practices can help organizations anticipate and mitigate emerging threats more effectively.

Risk Assessment and Cyber Risk Transfer

An effective risk management strategy begins with a thorough risk assessment. Identifying and understanding the specific risks an organization faces is crucial for implementing appropriate controls and transferring risk effectively. In the context of cyber risk, this means evaluating the potential impact of different types of cyber threats, such as ransomware attacks, data breaches and system outages.

Once risks are identified, businesses should prioritise them based on their potential impact and likelihood of occurrence. This prioritisation allows organisations to allocate resources efficiently and focus on mitigating the most significant threats. Transferring risk through insurance is a critical component of this strategy. Cyber insurance policies should be tailored to cover the specific risks identified during the assessment, ensuring that businesses are adequately protected.

Conclusion

The July 2024 CrowdStrike outage underscored the critical importance of robust cybersecurity measures and comprehensive insurance coverage. Businesses must adopt a proactive and multi-layered approach to cybersecurity, ensuring that they are prepared for the evolving threat landscape. Investing in advanced technologies, enhancing incident response capabilities, and leveraging innovative insurance solutions are essential steps toward achieving cyber resilience. As the digital economy continues to grow, the imperative for effective cyber risk management and insurance will only become more pronounced.

By addressing these challenges head-on and adopting a forward-thinking approach, businesses can safeguard their operations, protect their intangible assets, and ensure continuity in the face of cyber threats. The integration of cyber insurance, particularly for NDBI and intangible assets, along with the strategic use of captive insurance solutions, provides a robust framework for managing the complex and evolving risks in today’s digital world. Conducting thorough risk assessments and effectively transferring risks through insurance can further strengthen an organisation’s resilience against cyber threats.

Professor Dr Marcus Schmalbach is CEO of RYSKEX based in London. 

mschmalbach@escp.eu  

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.