Cybersecurity software update causes widespread outages

Organisations worldwide are grappling with significant disruptions due to a cybersecurity software update that has triggered widespread outages. The incident began at 4 AM UTC / 5 AM BST on July 19 and is affecting multiple sectors across the globe. The source of the disruption is an update to the CrowdStrike Falcon endpoint detection and response (EDR) tool, which has caused a series of blue screen of death (BSOD) failures on Windows workstations and servers.

CrowdStrike, a leading player in the EDR market with approximately 17% market share as of 2022, has since reverted the problematic update. According to CrowdStrike, Windows machines brought online after 5:30 AM UTC / 6:30 AM BST are not expected to be impacted. They have also released workarounds to address the issue; however, these solutions may not be effective on all systems, particularly those using BitLocker encryption. As a result, some organisations may face a lengthy recovery process, with manual intervention potentially required for each affected machine.

Luke Foord-Kelcey, Global Head of Cyber at Howden Re, commented: “This mass outage will certainly be felt by the Cyber insurance market. However, the full extent of the impact will only become clear over the coming days as we are able to take stock of how rapidly the fixes have been able to be implemented and whether the resulting business interruptions have exceeded the policy waiting periods – and if so, by how much.

Certain segments of the market seem to have been impacted more than others. For example, Australia experienced the worst of the impact during their working day, potentially leading to more significant ongoing consequences. Similarly, the Air Transport sector, which typically takes longer to recover from outages, is also heavily affected. At Howden we maintain an industry exposure database for the Cyber market, covering around USD 9 billion (or 65%) of gross written premium. Our data suggests that Australia accounts for just over 2.5% of Cyber GWP, and the Air Transport sector (including airlines, airports and couriers) a little under 0.5%, with exposure figures [limit deployed by insurers] broadly in line with this.

Given that this is a non-malicious cyber event caused by a failed patch from a third-party vendor, it
may trigger Systems Failure Business Interruption-type insuring clauses, subject to waiting periods typically in the region of 8-12 hours.”

Harriet Gruen, Head of Cyber Threat Intelligence at Howden Re, said: “As the (re)insurance industry continues to assess the full implications and root causes of this mass IT outage, the incident reveals far-reaching dependencies inherent in global digital infrastructure. Recent years have seen a dramatic improvement in our industry’s understanding of cyber risk, leading to more nuanced insurance coverages. However, this incident underscores the evolving nature of cyber and IT risks and the need for continued investment in developing more sophisticated exposure management tools and techniques.”

Luke Foord-Kelcey continued: “Greater awareness of the systemic nature of cyber risk – and growing market consensus on what constitutes a systemic cyber catastrophe loss – has spurred significant interest in cyber cat structures, with continued product uptake observed in 2024. This mass outage will only serve to accelerate the interest in cat-focused reinsurance programmes.”