Although having a limited direct impact on captives, the recent CrowdStrike incident will likely lead to more companies assessing the possibility of utilising their captives to write cyber risk.
On Friday 19 July, as part of regular operations, CrowdStrike released a defective “rapid response content” update to its endpoint detection and response (EDR) tool “Falcon” on Microsoft Windows devices.
More than 7,000 flights were cancelled or delayed, and disruptions were felt across important infrastructure sectors such as healthcare, retail, financial services, and hospitality.
However, a recent report by Guy Carpenter has estimated that fewer than 1% of companies globally with cyber insurance were directly impacted by the event.
Guy Carpenter initially estimated CrowdStrike losses between $300 – $1bn.
With a fix quickly introduced, many organisations had the opportunity to mitigate the outage before the waiting period expired for business interruption claims, which typically range between four to 12 hours in cyber insurance policies.
“Most companies managed to apply patches within 12 hours, and many of the waiting periods are minimal—around 12 hours or even longer,” Celso De Azevedo, barrister at Enterprise Chambers, told Captive Intelligence.
“Because of that, a lot of the cyber insurance policies did not have to respond.”
There remains uncertainty concerning where losses will ultimately fall, and which cyber or errors and omissions policies will cover cedents for claims.
“This event will trigger different lines of insurance, including cyber and errors and omissions,” said Jonathan Hatzor, co-founder and CEO of Parametrix.
“I assume that we’ll see some errors and omissions claims from this event, and some of which are insured partially or fully insured by captives.”
Meike Röllecke, head of cyber and financial lines at HDI Global, said that whether a cyber policy will cover insureds for this event will depend on its specific terms and conditions.
“Particularly, business interruption and system failure coverage may be considered when evaluating claims related to the CrowdStrike incident,” she said.
Many companies with cyber insurance will not be covered by this type of event.
“I’d say that if this type of risk is covered, it’s likely going to be covered inadvertently,” said Ryan Dodd, CEO of Intangic.
“We are probably going to see disputes over the wording when it comes to claims being paid out.
“My guess is that we will not see a lot of claims for this, but when they do come, there’s a lot of debate over how the policies are interpreted.”
Azevedo said there is still a lot of speculation, and we will not truly know the full impact until we get more data on the event.
“In the next three to six months, we will start seeing some figures on what actually happened and what claims have been advanced,” he said.
Up until a couple of years ago the cyber market was experiencing a prolonged period of rate adjustment where triple digit increases were not uncommon, largely because of several expensive ransomware claims.
Rates and capacity have since vastly improved, with a WTW cyber market update noting that the first quarter of 2024 saw “exceptionally favourable” conditions for purchasers.
“The cyber market saw substantial improvements in rates and pricing, alongside a diverse array of policy options becoming available,” the WTW report said.
“There was a significant persistence of capacity which fuelled highly competitive market conditions, continuing the trend from the latter half of 2023.”
Röllecke said that in general, there is capacity available in the cyber markets.
“Captives are a good contribution to this and underline the risk awareness of clients willing to carry a part of their exposure on their own,” she said.
“For companies with strong cyber prevention and security measures in place, more attractive conditions can possibly be offered.”
Azevedo said he believes that reinsurers will try to keep premiums down following the event.
“Instead of significantly increasing premiums, they often reduce coverage,” he added.
“If it’s true that there will be say $4bn in uninsured losses, it certainly affects the reinsurers’ position regarding expanding coverage.”
Hatzor said that the CrowdStrike event should improve general understanding of managing service provider dependency risk.
“Companies will start assessing the service providers they are using and understanding the risk associated with each service provider,” he said.
“This will involve checking what sensitive information the service provider has access to and understanding whether the service provider is critical to their operations.”
The role for captives
As companies come to terms with the fallout from the CrowdStrike incident, more firms may look towards utilising captives for gaps in cyber coverage.
“The more companies feel like the insurance market is not meeting their needs, the more willing they’ll be to take on the risk within their captives,” said Dodd.
“I do not believe there’s an insurance market where you can buy risk transfer for something like a software outage or systemic failure – I don’t think it exists.
“While it might sound strange to say, this will likely expand the role of captives. Those already utilising captives are likely going to allocate more risk to them.”
The CrowdStrike incident will have educated many captives and their parents on the potential risks associated with business interruption caused by technology issues rather than malicious actors.
“From a traditional standpoint, how do we even assess or understand this risk when there was no breach?” Dodd said.
“The issue we are seeing now is how the interdependence of all these different software systems has revealed how fragile things really are.”
Dodd said the number one topic from a captive perspective is realising that they may need to rethink the level of risk they carry due to technology.
“First, how do we better understand and assess that risk? Because while hacking might still be a major concern, this has highlighted that there’s more fragility in our technology risk than we initially thought,” he said.
“Going forward, the second issue will be: How do we assess, manage, and understand that risk within the captive framework?”
Dodd said that if firms are going to put cyber into a captive, it is important to have a way where the captive and the security teams are communicating.
“Even on something that caused this, if the security team and the risk team are not really communicating, it could lead to even bigger problems,” he said.
Andy Miles, founder and CISO at QRI, said his firm has seen a 42% uptick in inbound inquiries over the summer.
“People were saying, ‘Well, that happened, it didn’t affect us, but what if? What do we need to do?” he told Captive Intelligence.
“This has definitely prompted boards, risk committees, and audit teams to stand up and start asking those important questions,” he added.
Röllecke said captives are a good contribution to the established markets and underline the risk awareness of clients willing to carry a part of their exposure.
“In general, we see an increase in utilising captives in cyber, mainly in excess positions but also more and more in primaries,” she said.
“However, we currently cannot observe an increased captive involvement driven by the CrowdStrike event.”
DORA and NIS2
Miles said from his perspective, many boards, including some non-executive directors do not fully understand their obligations in the cyber and information security domain, despite it being a requirement of Section 174 of the Companies Act 2006 in the UK.
“Now, that’s not entirely their fault and, in my experience, even seasoned external auditors often do not understand the questions they’re asking,” he said.
“We’ve been communicating in the wrong language, and as a result they’re not grasping the full scope of the risk.
“What we need is a paradigm shift, where we (CISOs) start talking about risk in a way that resonates with them.”
There are policies requiring firms, including captives, to enhance their digital operational resilience (OpRes) and cybersecurity.
The Digital Operational Resilience Act (DORA) was adopted in November 2022, and firms must comply with its requirements by 16 January 2025.
“It requires firms to be capable of withstanding, responding to, and recovering from ICT-related disruptions and threats,” Miles said.
NIS2 became EU law in early 2023 and EU member states are required to transpose the directive into respective national legislation by October 17 this year.
“This law mandates that if a company is either an essential or important supplier in the European supply chain, they need to meet specific cyber and information security standards, and there’s also a clear reporting structure in place,” Miles said.
“DORA is essentially the equivalent of GDPR, but on steroids with cyber and information security and OpRes included, especially given the current turmoil in the markets.”
Miles said that captives should look outside of their immediate operations as DORA imposes specific requirements on all ICT services contracts, not just outsourcing contracts.
“This means any contract involving ICT services, whether internal or external, must be reviewed to ensure compliance,” he said.
Miles said some boards, especially those without well-established risk and audit committees, such as smaller operators or captives reliant on CrowdStrike, may have overlooked their OpRes plans.
“This is a critical issue because cyber risk is part of a much broader operational resilience framework,” he said.
“This is exactly why DORA was introduced and is aiming to address next year, ensuring that organisations have comprehensive plans in place to manage these risks.”