Vulnerabilities & insurance challenges exposed by the CrowdStrike outage

On July 18 a routine update to cybersecurity firm CrowdStrike’s Falcon Sensor software led to a global outage impacting millions of Windows users. What unfolded was a series of events, the insurance industry can and must learn from, say experts.

Despite initial concerns that the issue might have been the result of a malicious attack, CrowdStrike dispelled the rumours in a statement attributing the outage to a faulty update.

The Falcon platform is designed to deliver accurate threat detections, automated protection and remediation, according to global broker Aon. 

However, the software update proved to be faulty, triggering widespread disruptions across various Windows devices, risk analytics specialist CyberCube reported in a July update titled “CrowdStrike Fallout Underscores How Single Point of Failure Technologies Create Widespread Disruption”.

“The failure proved to be problematic as, unlike a malicious attack, the update, which was trusted by networks, could skip the initial access hurdle and many other kill chain steps and avoid protective, defensive measures designed to thwart threat actors,” stated Moody’s in a July update, “Navigating the Recent CrowdStrike Update Crisis”. 

The faulty update left Microsoft users with what is known as a “blue screen of death” (BSoD) and an inability to use their endpoint, stated Acrisure Re, the reinsurance broking arm of Acrisure, in a July statement. The BSoD acts as a protective measure to prevent further damage to the operating system by stopping all operations. While the update was intended to enhance security, it inadvertently included a logic error in a configuration file, resulting in the BSoD, reported CyberCube. 

“The BSoD loop prevented access to the affected systems and hindered users trying to access and delete the necessary file.”

Impact and scale

The outage had a particularly significant impact as the only known fix involved manually deleting a specific file in a folder located on the individual machine, reported Moody’s. Accessing that file would require users to boot the machine into Windows Safe Mode, an environment that helps with diagnostics to restore or repair the machine’s systems.

However, Moody’s claimed the BSoD loop prevented access to the affected systems and hindered users trying to access and delete the necessary file. The step was further complicated by enterprise security measures which impeded easy access to Safe Mode, according to Moody’s. As such, users were ultimately unable to access the local file directory to delete the problematic file and as a result, IT staff may have had to intervene manually, often requiring administrative access that made remote fixes difficult, Moody’s explained. 

Global disruptions

The global implications of the outage were not immediately apparent as the software used a “follow the sun” model where updates were deployed regionally, reported Moody’s. In this instance, the initial disruptions from the outage began in Australia before cascading westward towards the US. Moody’s added that the timing of these updates and the state of devices during the update window significantly influenced the extent of the impact.

Due to the scale and number of the companies dependent on CrowdStrike software, the outage is predicted to have affected 8.5 million Microsoft devices, reported Aon. The company claimed that CrowdStrike is involved with about 300 of the Fortune 500 companies, six out of the top 10 healthcare providers, eight of the top 10 financial services firms, and eight of the top 10 technology firms, further extending the impact of the event. 

Acrisure Re stated that in total, more than 20,000 companies use CrowdStrike Falcon in conjunction with Microsoft, and many managed security service providers license CrowdStrike for their clients. 

Almost all industries experienced disruptions as a result of the outage, claimed CyberCube. Affected industries ranged from financial institutions, healthcare providers, and transportation networks to companies in manufacturing and IT. However, the event caused an especially outsized exposure in the aviation, banking and retail sectors, said CyberCube.

Industries dependent on continuous availability of systems were particularly vulnerable during the outage, Moody’s reported. As a result, airlines and hospitals were at risk as the inability to access vital systems led to business interruption (BI) and potential claims.

The air travel industry had more than 3,000 flights cancelled, and a reported 23,900 flights delayed, reported Aon in a July briefing called “CrowdStrike/Windows Event Briefing”. Healthcare providers experienced disruptions as elective hospital procedures and procedures that required anaesthesia were delayed. 

Some emergency call centres in the US were impacted by the outage, stated Aon. The banking sector experienced disruptions with some banks in the US reporting login issues and trades being delayed on the stock exchange because bankers were unable to access their work systems, according to Aon. 

Insurance implications

The CrowdStrike outage may be the “most significant cyber accumulation loss event since NotPetya in 2017”, reported Aon. However, the total financial impact remains uncertain and will largely depend on the extent of coverage for system failures, which varies across the market. It is also necessary to consider the time required for successful manual remediation at each affected organisation compared to the waiting periods outlined in their cyber policies.

The primary victims of the outage were predicted to be household names due to CrowdStrike’s widespread usage, according to Acrisure Re in a July statement. CrowdStrike has an estimated 20 percent market share for cybersecurity among large companies and 50 percent of Fortune 500 companies and as such, the event was felt most acutely in the large and mid-market corporate space, Acrisure Re claimed. 

According to Acrisure Re, most cyber insurance policies cover both malicious and non-malicious events, with BI and dependent business interruption (DBI) coverage typically extending to incidents involving IT vendors. Some policies include DBI coverage for non-IT vendors. Acrisure Re noted that insurers might have anticipated further losses if the manual reboot required for individual endpoints was not universally successful. Such failures could lead to greater BI losses than simply replacing a device.

Moody’s added that since insurers frequently require endpoint detection and response solutions for underwriting policies, enterprises using CrowdStrike were more likely to have cyber insurance. However, the specifics of coverage and the terms of individual cyber policies can vary significantly when it comes to making claims.

“Aon expects this event to lead to increased scrutiny of system failure coverage.”

Lessons learned

Beyond the initial system failures leading to primary business interruptions, Moody’s noted that another significant impact was the downstream disturbances experienced by enterprises that did not use CrowdStrike but depended on the availability of systems affected by the outage.

As a result, the event underscores the risks associated with single points of failure and systemic exposures among SMEs, according to Acrisure Re.

At an individual risk level, Aon expects this event to lead to increased scrutiny of system failure coverage and BI waiting periods. On a portfolio level, Aon views the incident as a chance for the market to enhance the specifics of policy information, facilitating more nuanced event loss estimation and accumulation scenario analysis.

Moody’s characterised the incident as a “stark reminder of the delicate balance between maintaining security and stability in our increasingly interconnected and complex digital landscape”.

For more news from the Rendez-Vous de Septembre (RVS) click here.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.