Dive Brief:

• Parametrix said the global IT outage linked to Crowdstrike will likely cost the Fortune 500, excluding Microsoft, at least $5.4 billion in direct financial losses, in a report released Wednesday. 
• Cyber insurance will only cover 10% to 20% of the losses, based on large risk retentions and policy limits at many companies, according to Parametrix. CyberCube estimates the cyber insurance market will face preliminary insured losses of between $400 million and $1.5 billion, potentially the single worst loss in the cyber insurance sector over 20 years. 
• Parametrix expects the healthcare sector to see the biggest impact among industries with $1.94 billion in losses after three-quarters Fortune 500 healthcare companies were impacted. Though banking was also hard-hit, with an estimated $1.15 billion in direct losses, airlines are expected to have the highest per company costs. 

Dive Insight:

The estimated financial losses highlight the dependence of major global companies and other organizations on interconnected technology, including cloud computing services. 

The defective software upgrade in CrowdStrike’s Falcon platform led to outages affecting more than 8.5 million Microsoft Windows devices. Though that is less than 1% of total Windows devices, its impact was far reaching. 

“This outage highlights the need for a comprehensive approach to risk management beyond just focusing on security,” Jonathan Hatzor, co-founder and CEO of Parametrix, said via email. “Companies should thoroughly map their service providers and assess their dependency on each.”

Cyber insurance policies are the most likely to be triggered by the outage, according to Meredith Schnur, U.S. and Canada cyber practice leader at Marsh. 

“System failure resulting from non-malicious acts, including human error, is widely available as part of a cyber insurance policy,” Schnur said via email.

Well-crafted cyber policies usually include business interruption, contingent business interruption and errors and omissions, However, given the scope of the outage, there could be impacts on other insurance lines, including directors and officers and property and casualty, Schnur said. 

The outage directly impacted about one-quarter of the Fortune 500, which includes 124 companies, excluding Microsoft, according to Parametrix. 

Nowhere was the CrowdStrike outage more apparent than in airports, as all six airlines in the Fortune 500 were impacted in some capacity, Parametrix said. The firm expects the average per company loss to exceed $143 million. Delta canceled thousands of flights and struggled to regain operations, though other carriers had quicker recovery. 

The Department of Transportation opened up an investigation into Delta Air Lines, after thousands of flights were canceled.  

Southwest Airlines, however said it was not directly impacted by the outage and had minimal disruption, according to a spokesperson. The airline uses a variety of endpoint security protections, but would not disclose details and has worked to upgrade its technology, the spokesperson added. 

Fitch Ratings on Monday said the outage was unlikely to have a material impact on the financial results of global insurers. 

Fitch estimates the outage would lead to a mid-to-high single digit billion dollar impact on the industry, with the biggest impact on business interruption, contingent business interruption and cyber insurance lines