Briefing: Why the Crowdstrike IT outage is a ‘wake up call’ for the insurance industry

One of the biggest global IT outages to date occurred on 19 July 2024.

The incident was caused by a supposedly faulty software update from American cyber security firm Crowdstrike – it affected around 8.5 million Windows hosts, with global incurred losses estimated at around $1.5bn (£1.16bn)

Banks, airlines and hospitals ground to a halt as a result of the outage.

Following this, on 30 July 2024, Microsoft experienced an outage that lasted 10 hours. This was caused by a cyber attack that affected its cloud computing platform Azure and Microsoft 365 services.

According to the Digital Adoption Report 2023, published in November 2023 by Insurance Times and Applied Systems, 45% of brokers have invested in their IT cloud infrastructure. 

This means that increased IT outages affecting cloud-based platforms and systems could have a significant impact on the insurance sector and be classed as an intangible risk. In fact, cloud outages have the potential to be even more damaging that the recent Crowdstrike example.

Jonathan Hatzor, chief executive of cloud and technology downtime insurance MGA Parametrix, told me: “Crowdstrike was not a mission critical service, but it took down a Microsoft suppression service.

“The losses we saw for Crowdstrike are not even close to the losses for a cloud outage.

”Crowdstrike shut down legacy businesses. The cloud, however, is a huge risk. It’s the most mission critical service for firms. But this isn’t really a risk that the insurance industry can prepare for.”

Hatzor described the Crowdstrike incident as a “wake up call” for the insurance sector due to the challenge of pinpointing cloud hosting services. Using property insurance to demonstrate this difficulty, Hatzor said: ”It’s impossible to insure a building if you don’t know the location.”

Remaining resilient

Michael Johnson, a freelance cloud infrastructure engineer, noted that most major organisations have an IT disaster recovery plan that aims to minimise “any impact on the business”.

Insurer Zurich, for example, told me that it continues to evolve its organisational resilience and incident response measures – it was therefore able to recover critical services following the Crowdstrike outage.

Darren West, chief information officer at Zurich, explained: “Our strategic direction remains to modernise and transform our application landscape to enhance security and resilience.”

Multinational data analytics and risk assessment firm Verisk also uses cloud infrastructure. Gareth Williams, its director of technology and architecture, said: ”Our backup and recovery processes are rigorously tested to ensure our teams and procedures are well prepared to restore services quickly in the event of any outage.”

Despite these proactive stances, Johnson warned that ”it’s not a given that [companies] will be able to control the impact of a major provider outage on the business” dependent ”on the services and regions that are affected”.

Vinod Singh, chief technology officer at software company Concirrus, agreed. Although he recommended that insurance companies should ”employ data redundancy, multicloud diversification and automated failover systems” to combat possible outage impacts, ”the reality is that no plan can cover every potential scenario without significant investment”.

Singh stressed that it was “crucial” humans sustained a role in business operations – despite being unable to ”maintain all business activities” compared to technology. He added that the Crowdstrike situation “underscores the need for a balanced approach”.

Broader impact

Theo Duchen, co-founder and chief executive of software house Acturis, believes the Crowdstrike incident could change cyber insurance question sets and raise additional queries around business interruption (BI) cover – such as who would pick up the tab for BI claims resulting from an IT outage?

He said: ”Cyber insurance only covers malicious issues, such as a hack, but [the Crowdstrike situation] wasn’t malicious.”

One thing is for certain – cloud engineers and firms like Parametrix play a vital role in outage incidents because it is impossible to prepare fully for such a wide range of unknown results.

However, having disaster recovery plans helps minimise the impact of downtime. This is definitely something the insurance sector needs to remain focused on as Crowdstrike’s outage could mark just the first of these types of incidents as technology continues to evolve and become further embedded in business operations.