On Aon Podcast: How has CrowdStrike Changed the Cyber Market?

On Aon Podcast: How has CrowdStrike Changed the Cyber Market?
October 30, 2024 9 mins

On Aon Podcast: How has CrowdStrike Changed the Cyber Market?

On Aon Podcast Hero Image

Episode 80: Aon experts discuss the impact of the CrowdStrike incident and the cyber and supply chain lessons learned.

Key Takeaways
  1. In this episode, Aon experts identify the global significance of the CrowdStrike incident.
  2. Aon’s experts share what CrowdStrike means for the future of cyber risk.
  3. Episode 80 is a deep dive into the current cyber insurance market.

Intro:
Hi everyone, and welcome to the award-winning “On Aon” podcast, where we dive into some of the most pressing topics that businesses and organizations around the world are facing. Today, we hear from Matt Chmel and Alistair Clarke for a discussion around the CrowdStrike incident from earlier this year, and what we’ve learned about cyber and supply chain risk. Now, please welcome this episode’s host, Sabba Manyara.

Sabba Manyara:
Hello there. My name is Sabba Manyara, and I'm a director on the Asia Regional Cyber Solutions team at Aon. In today's On Aon episode, we're discussing the CrowdStrike incident from earlier this year and what we've learned about cyber and supply chain risk. In July, an update in CrowdStrike software caused a massive IT outage around the world, crashing millions of Windows systems. Critical services and business operations were disrupted. As of early fall this year, the speculated insured losses from the CrowdStrike outage are estimated to be between $400 million and over $1 billion. It has had a huge impact, and it highlights our deep reliance on highly complex software systems. With me today to discuss the cyber insurance angle is Matt Chmel, Chief Broking Officer of the Cyber Solutions Group at Aon, and Alistair Clarke, Cyber Broking leader for the UK region at Aon. Thanks for being here today.

Matt Chmel:
Thanks for having me here today, Sabba.

Sabba Manyara:
In our discussion today, we're going to start by walking through the impact of the CrowdStrike incident and what predictions we have for the cyber insurance market. So, let's get started. Can you first paint a scene for us on why the CrowdStrike outage was so significant to companies around the world? Matt, let's start with you.

Matt Chmel:
Thanks, Sabba. So, on July 19th as mentioned, CrowdStrike released a rapid response content update at around 4:09 UTC time, which, in the U.S., was primarily an overnight update. The impact was this was a global update to software. It's estimated about 8.5 million Windows devices were impacted by this update. Given the heavy reliance on CrowdStrike, at that time, it was very much unknown the financial impact and the insured impact and what that could be. Definitely, different sectors were impacted. Airlines were pretty significantly impacted in the US. Health care payment systems and all of the above were impacted. CyberCube had estimated the total insured loss to be around $400 million to $1.5 billion. The thing that's really skewing that kind of loss estimate is what is the actual financial loss? Is it a delayed income loss? Is it a truly insured loss? Many of the airlines we know don't purchase cyber insurance or purchase cyber insurance very uniquely without business interruption insurance. So that may impact and skew some of the losses itself, but also too, leading to that, a lot of it was extra expense.

We know in the healthcare space specifically, there was a lot of delays and interruptions, but a lot of the costs and expense incurred by the loss was due to extra expense caused by actual boots on the ground, having to reboot the systems and deploy the patch that CrowdStrike released to fix the actual incident itself. So very complex situation, very unique situation for each organization individually. At Aon, we saw about 150 cyber insurance policy notices globally. A lot of those came within the first two weeks of the actual incident itself, and many of those are still playing out right now in terms of the actual quantification and forensic really analysis of what that impact was to those organizations on an individual basis.

Alistair Clarke:
Yeah. I totally agree, Matt. I think what was probably so terrifying about this particular outage was that of course it came as a result of an update by CrowdStrike. And CrowdStrike, for those that don't know, is one of the world's leading network security businesses. They exist purely to make our insureds and indeed, many clients that we don't yet hold, better at what they do more mature from a network security perspective. It was obviously a non-malicious outage, and it was an outage that I really genuinely don't think that the market saw coming. But I think from an underwriting perspective, this was a unique situation in that for many of the insureds that they've taken onto their books, the very reason, or one of the very reasons that they did, that they underwrote these risks was because CrowdStrike was involved.

And so, in a strange way, some of the better, or what would be considered better insureds, were actually adversely affected. So, it was a real shot across the bows, I think, for so many of our insureds, and, of course, for the market in general. It just genuinely shows you that with cyber, the next loss looks nothing like the last one. So very widespread, but something that I think genuinely the market was quite surprised by.

Sabba Manyara:
Thanks very much both for sharing your thoughts. Definitely agree from an insurance perspective. From insurers, we have heard, in the past, concerns about systemic risk, a widespread event of this magnitude. But as you mentioned, Alistair, usually the concerns around maybe cloud providers, et cetera. But no one really expected a provider like CrowdStrike to be impacted by such an incident, or to create such an impact. So, what are you seeing in the market now as a result of this unprecedented event? What do you predict for the future?

Alistair Clarke:
Well, I think for me, and I'm fairly sure that Matt will echo this, the biggest thing is it's again, reminded all of us about systemic risk, as you say. I think there's a keen awareness that really clients have to be very circumspect around their choice of vendors. But it is the reliance on, again, single vendors, the existence of single points of failure, and the systemic risk that that brings that I think clients have to be aware of. They're also going to have to look very, very carefully at their contractual arrangements. What contractual remedies do they have? If the worst happens, again, a widespread, non-malicious event that comes from a software update, whether it be from a security vendor or some other part of their technology supply chain, you can't always just assume that insurance is going to pick up the tab or all of the tab.

In this particular situation, as Matt, I think, highlighted, given the intricacies and the issues around retentions on some of these policies, some of them won't have been able to extract really any recovery from their policies because it would have been a relatively short and sharp outage for them, but nevertheless, a costly one. So, what other remedies do they have beyond that of insurance that they can call upon in the event of a similar outage in the future? So yeah, contractual arrangements, and then looking at a broad vendor base and how they protect themselves from these sorts of events going forward. Matt?

Matt Chmel:
Yes, Alistair, I would agree with you. From speaking with many of the insurers, because of various waiting period retentions on policies, after... And we're still very much in this. The dust is settling. Insurers are going to be able to absorb this event within their books of business. We're still seeing a very competitive landscape in the US in terms of cyber insurers wanting to quote business, wanting to retain business. We have seen insureds ask our insurers a handful of questions around the CrowdStrike uses, around the response, around the potential impact to their organization because of the event. But going forward, I think we're going to see a very healthy market going into the Q4 of 2024 and into 2025. Probably low to mid-single digit decreases still on the majority of policies. Obviously, there's going to be some outliers there in terms of loss, loss incurred accounts encouraged with maybe not the best controls that insurers are looking for.

But from a general sense speaking, there is still ample capacity. About 20 percent of our clients are still purchasing additional limits, really due to their investment in cyber modeling, figuring out what their potential loss and exposure could be. Insureds are looking to broaden and enhance their coverage. Insurers are taking a diligent approach in terms of underwriting. Many incumbent insurers want to maintain their current books of business, so they're being aggressive on the renewal basis, but then also trying to get on new programs as well too. So I think going into 2025 and wrapping up 2024, we're still going to see it really be a buyer-friendly market in terms of the cyber insurance landscape as we are currently in right now.

Sabba Manyara:
Great. Thank you so much both for joining us today, Matt and Alistair. Great discussion. It sounds like while the CrowdStrike outage was a very impactful event and highlighted the potential for significant losses to the insurance market and to organizations globally, it was more of a near miss in this instance, and the market is still looking very healthy. And our clients, while many were impacted significantly, can still expect positive outcomes from the cyber insurance market.

So that's our show for today. Thank you all for listening. In the next months, we'll have more discussions on cyber hot topics as well as episodes on workforce resilience, risk transfer, and more. Until next time.

Outro:
Thanks for tuning in to the latest episode of “On Aon” with our episode host, Sabba Manyara and today’s experts, Matt Chmel, and Alistair Clarke, for a discussion on the CrowdStrike outage. If you enjoyed this episode, don’t forget to subscribe wherever you get your podcasts, and stay tuned for our next conversation featuring industry experts bringing you the latest on topics, including climate risk, workforce wellbeing, ESG trends, and much more. Be sure to check out our show notes and visit our website at Aon dot com to learn more about Aon.

General Disclaimer

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Aon's Better Being Podcast

Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.

Aon Insights Series Asia

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series Pacific

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series UK

Expert Views on Today's Risk Capital and Human Capital Issues

Construction and Infrastructure

The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.

Cyber Labs

Stay in the loop on today's most pressing cyber security matters.

Cyber Resilience

Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q4 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Human Capital Analytics

Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Workforce

Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.

Mergers and Acquisitions

Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Parametric Insurance

Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.

Pay Transparency and Equity

Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.

Property Risk Management

Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.

Technology

Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

Trade

Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.

Weather

With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.

Workforce Resilience

Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.

More Like This

View All
View All
Subscribe CTA Banner