港澳图库

The world grappled with a large technical outage this past July, impacting less than 1%¹ of worldwide devices. Among the businesses impacted were Microsoft Windows users in key industries comprising critical infrastructure, including healthcare, airlines and banking. The event was caused by CrowdStrike, a cybersecurity solutions provider, inadvertently introducing a logic error into one of its software products, Falcon.

As we contemplate the impact and aftermath of the CrowdStrike event, it’s natural to wonder: what are the major takeaways from this event for risk managers, cyber insurers, boards and cybersecurity professionals?

The CrowdStrike event was a paradoxical cyber failure—but that doesn’t mean we should abandon basic cybersecurity principles.

Cybersecurity can be inherently paradoxical: effective security measures can so complicate users’ experience that they become incentivized to find work arounds that serve to undermine security, or a layered security approach intended to provide depth of defense can itself introduce potential vulnerabilities if each layer is not managed properly.

Such a paradox was the CrowdStrike/Falcon event of July 2024. It was not perpetrated by a “Mr. Robot”-type of hacker seeking a malicious outcome, but by earnest efforts to improve cybersecurity for a certain software. Specifically, the fix was a sensor configuration update for Microsoft Windows hosts intended to target “malicious named pipes,” which are communication channels that malware can create for malicious communication between systems of a compromised network. The fix, however, had a logic error that triggered crashes of multiple Windows-dependent operating systems. Especially ironic is the fact that CrowdStrike’s software would likely not have been present on a given business’s physical or virtual machines unless that business was vigilantly implementing a healthier cyber environment for their businesses and their employees.

While the insurance industry and cybersecurity experts recommend regular patching practices, there is a downside—including errors that can lead to potential outages and system failures. The risks derived from abandoning patching, however, are far greater: the major cyber events of the last three decades were largely due to malicious intent rather than human error. The fact is, endpoint detection and response (EDR) tools like CrowdStrike’s Falcon are instrumental to an organization’s cyber security. It would be counterproductive if security teams decided to terminate relationships with EDR providers because of the way this event unfolded.

Bad code or malicious code is bad, but not the only thing compounding the issues of cybersecurity.

Computation is a physical process whereby humans or machines write physical code. In his book, Fancy Bear Goes Phishing², Professor Scott Shapiro has written about the fact that cybersecurity is not only shaped by the type of computational code produced by white hats and black hats, but also by the social, political and institutional codes that define the world around us—including the cultural codes that have invisible and sometimes unknown holds on us (e.g., morality, religion, social norms, corporate policies, codes of ethics). A challenge for businesses and cyber professionals is navigating these factors, which Shapiro deems upcode. A good example is the attribution of a cyberattack: attribution goes far beyond any forensic computational proof; it is complex and intertwined with political, legal, contractual and cultural rules. There’s not much a single insurance carrier or risk manager can do to clarify attribution in an unclear world.

Similarly, events like this recent one highlight the fact that both computational code and upcode influence the cause and impact of a cyber event. Patching is simply fixing computational code and patch management is important for many reasons, including security, compliance and conformance. But the underlying reason for patching is that the software we create, buy and use is imperfect—sometimes due to mistakes, other times due to changing environments, incomplete requirements or concurrency issues. We often accept that software must have such limitations and that, at times, how the software supply chain risk will impact any single organization will remain a mystery. The CrowdStrike event highlights that what may need to change, beyond tooling and hygiene at the individual business level, is an important aspect of upcode: governance concerning how software is created, implemented, sold and authenticated.

One particularly exciting recent development comes from the National Cybersecurity Strategy of the US Government, which strives to use its influence to alter the behavior of software producers. The National Cybersecurity Strategy urges that the responsibility for cybersecurity should move from software users to software creators. One of the proposed requirements is that all software vendors must attest that they developed their software in accordance with NIST 800-218, the Secure Software Development Framework (SSDF)³. While adoption of 800-218 would not necessarily have prevented the CrowdStrike event, it potentially reduces and mitigates vulnerabilities in published software and thereby complements and reinforces the cybersecurity practices deployed at the business level. While there are some things that can be solved by tools and insurance, others must also be solved at a political, cultural, legal and government level.

This event validates the cyber insurance value proposition.

Cyber insurance is in a liminal position between how the world works and how it could be better. The product aims to respond to real-world conditions and events like this one—solving not only losses in the aftermath of an event, but by also providing real-time risk mitigation as well as dynamic and meaningful coverages. Every systemic event lets insurers validate their understanding of catastrophic losses and the value of its product offering.

Moments like these don’t come often. The public is often haunted by media stories of cyberattacks’ formidable potential and apparent frequency. But the truth is less “Hollywood.” Malware (or for that matter, patches with defects) is not rampant across multiple operating and technological platforms. For example, while undeniably global, the CrowdStrike event has caused one platform to impact one operating system—albeit a very large one with many users. This reflects the reality of our world: the diversification of software and hardware inherently limits the contours of any single cyber incident. Today, the total economic insurable losses from the CrowdStrike incident are currently projected in the $400 million to $1.5 billion range, according to various models⁴. The losses are not negligible, but perhaps less catastrophic than seemed likely at the time of initial impact, especially for a global event.

Cyber events do not have the advantage of advanced weather forecasting like some natural catastrophes. Under current circumstances, carriers could not have seen this particular event coming—and yet they anticipated the type of event as per the system failure coverage it offers, which not only rightly contemplates that outages will happen but also incentivizes insureds to employ regular patch management practices.

There will be a time when the actual losses from the CrowdStrike event are trued up against the projections and predictions of our industry, and we will square those up and improve predictive analytics. As for now, paying losses stemming from this event indicates that the insurance is properly understanding the reality of the risk. We offer a product that we thought people would need; it turns out, they very much do.

Just as cyber risk is not specific to cyber insurance, cybersecurity is not separate from our insureds’ businesses.

Finally, the world dependency on digital technologies is not waning; it’s increasing. To quote one famous dictum, “Software is eating the world.” From my vantage point, I foresee the addition of software in all companies that insurers underwrite, especially with the proliferation of Generative AI. Given this fact, cybersecurity is increasingly a board-level issue. When there is no longer a clear delineation between what is and isn’t a tech-powered business, insureds’ businesses will be impacted by cybersecurity issues. Period.

With technology pervasive in our daily lives and businesses, it would be foolish to think that its adoption has no impact on the suite of risk transfer products our customers buy. Of course it does, and all industry efforts to clarify things in our insurance contracts come down to this simple observation: Cyber is a specific insurance product that covers many, but not all, aspects of the operational risk of a cyber incident, but “cyber” or “cyber risk” also can be a peril or a cause of loss for other non-IT functions of a business. For non-Cyber insurance products, it’s likely that a cyber event will be a “prime mover” to other events: an SEC investigation, a stock drop, a loss of life, a broken contract, a promise unfilled. These types of losses will stick to the traditional insurance products. It's time for the market to wake up to this reality—and start to future-orient around it. Boards, risk managers, and underwriters must now gain a thorough grasp of the firm's cybersecurity and technology strategies, better evaluate the impact of cyber incidents across departments and disciplines, and more accurately gauge the business’ exposure to technology supply chain risks.

¹MSN. (n.d.). Microsoft Says 8.5 Million Devices Were Impacted by CrowdStrike's Faulty Update
²Shapiro, S. J. (2023). Fancy bear goes phishing: The Dark History of the Information Age, in Five Extraordinary Hacks. Farrar, Straus & Giroux.
³. (2023).
⁴CyberCube. (2024, July 25). . Blog. Retrieved August 6, 2024.

This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. This document cannot be assumed to contain every acceptable safety and compliance procedures, or that additional procedures might not be appropriate under the circumstances. 港澳图库 does not guarantee that this information is or can be relied on for compliance with any law or regulation, assurance against preventable losses or freedom from legal liability. This publication is not intended to be legal, underwriting or any other type of professional advice. Persons requiring advice should consult an independent adviser. 港澳图库 does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, 港澳图库 does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content.

© 2024 港澳图库 Service, Incorporated. All rights reserved.