A new report suggests the largest direct financial losses will likely be suffered by Fortune 500 companies in the healthcare and banking sectors.
One in four Fortune 500 companies were impacted by the Crowdstrike IT outage last week, which cost them an estimated $5.4bn according to a new report.
The estimate provided by cyber insurance company Parametrix yesterday (24 July) excludes any financial losses incurred by Microsoft – which was more directly interconnected with cybersecurity provider Crowdstrike.
The outage occurred on 19 July and quickly grew into a global crisis, with various sectors – most notably airlines, banks and healthcare – being severely disrupted after an outage caused Microsoft computers to shut down.
It was quickly linked to a flawed cybersecurity update from Crowdstrike and by the afternoon, the company had issued a fix and assured users that it was not a cyberattack. CEO and president George Kurtz apologised for the outage and noted the “gravity and impact of the situation”.
According to the Parametrix report, the largest direct financial loss will be suffered by Fortune 500 companies in the healthcare sector followed by banking. Together, they will likely take more than half the loss despite accounting for only a fifth of Fortune 500 revenues.
“Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries,” said Jonathan Hatzor, co-founder and CEO of Parametrix. “It tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimise the potential impacts of systemic cyber risk.”
What happened?
In a post-incident review, Crowdstrike said the crash happened due to a bug in its system, which allowed “problematic content data” to pass validation.
“Based on the testing performed before the initial deployment … trust in the checks performed in the content validator, and previous successful IPC template instance deployments, these instances were deployed into production,” the report read.
“When received by the sensor and loaded into the content interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash.”
Crowdstrike said it has laid out plans to ensure a similar issue can be prevented, including additional validation checks and improved testing by using testing types such as local developer testing and content update and rollback testing.
It also stated it will implement a “staggered deployment strategy” in which updates are gradually deployed and closely monitored to help guide a more phased roll-out.
Hatzor said that the cyber insurance industry should focus on controllable areas such as mapping and managing aggregation risk.
“By understanding these points, we can evaluate key exposures and mitigate both malicious and non-malicious threats,” he said. “This proactive approach enables better underwriting decisions and effective risk-transfer solutions to manage systemic risk.”
However, IT experts have raised concerns about the increasing likelihood of such events when behemoths such as Microsoft and Crowdstrike are connected to so many devices that are, in turn, connected to so much critical infrastructure.
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.