Warren Buffett and Berkshire Hathaway's top insurance executive warned this year about the potential for massive losses from cyber insurance policies.
"That aggregation potential can be huge, and not being able to have a worst-case gap on it is what scares us," he said."Insurers have been worried about something like what happened with CrowdStrike since cloud adoption happened," said Dale Gonzales, chief innovation officer at Axio, a cyber security risk analysis company.
"It will have an impact because there will be losses," said Glombicki,"but the modeling largely got it right. Mostly, we think the industry will handle it OK. There might be some issuers that mispriced policies," he added. Additionally, even though CrowdStrike is widely deployed, its market share, estimated at 17% by Fitch, is large but limited in total impact. Among the companies that did use CrowdStrike, the worst impacted seemed to be on businesses that need 24/7 availability, like hospitals and airlines, Glombicki said.
Wolff says the duration of the outages will influence the claims. Some businesses were out for hours; others were still struggling days later."It's possible that since some of these outages were shorter than what we saw after NotPetya, the claims may be smaller, at least in some cases," Wolff said. However, she points out that the CrowdStrike glitch significantly impacted businesses, which was not the case with NotPetya.
Gonzales says the primary claims will be for business interruption, which some policies specifically exclude anyway. But he does predict the CrowdStrike incident will cause litigation."Everyone exceedingly well understands fire insurance because it has been litigated to death," Gonzales said.