You can be sure that Coalition will continue to take a nuanced approach to these topics in our efforts to sustainably protect unprotected organizations from increasingly pervasive digital risks . •
Still , despite the media hysteria and significant impact of these events , including the CrowdStrike outage , which has been called “ the largest IT outage in human history ,” we do not expect any to reach the levels of loss of natural catastrophe events that routinely impact the insurance industry . Our own modeling , leveraging our Active Cyber Risk Model , suggests a $ 0.96 billion industry-wide loss experienced by US cyber insurance policyholders at the upper bound prior to consideration of coverage limitations . Of course , any model of this event will also be highly sensitive to the least credible assumption ( most likely , the share of impacted systems ), which if reduced , would decrease our estimate to $ 0.27 billion ( or lower ).
In very small part , this is the result of impacted organizations being insured for amounts far lower than their actual financial losses , but also because the cyber insurance industry has the advantage of affirmatively covering cyber perils , including thoughtfully designing coverage to avoid large systemic risk aggregation . Cyber insurance cynics also routinely ( and massively ) underestimate the amount of technological diversification across organizations that limit the possibility for systemic loss , as well as the ability of organizations to quickly learn , react , and even cooperate with others to dramatically reduce the severity of losses . Attempts to analogize cyber catastrophes with natural catastrophes are profoundly misguided as a result . Case in point : the 8.5 million computers impacted in the CrowdStrike outage account for less than 1 % of computers running Windows , according to Microsoft , and represent an even smaller fraction of the estimated 10 billion + computer systems in operation globally . Many , although not all , organizations were able to recover within hours , if not days .
Cutting-edge cyber insurers like Coalition take advantage of massive data sets and analytical capabilities to more accurately model and assess common disaster scenarios . The model output is then used to determine how ( and if ) various scenarios can be covered and at what cost . The propagation of a defective software update from a commonly used software vendor has long been one such scenario used in our modeling . While many such failures , including this one , are unlikely to reach catastrophic levels , the failure of more ubiquitous software products very well could . This informs our approach and how we manage risk , with a goal to maximize coverage sustainably for our customers .
More broadly , across the cyber insurance marketplace , and particularly among those with lesser capabilities , we expect these concerns will more likely be addressed by changing and , in some cases restricting or excluding coverage . Some insurers have already introduced catastrophic or widespread loss sub-limits and exclusions that may limit or exclude coverage for specific cyber losses that impact a large number of organizations . Others are adding dependent or contingent business interruption sub-limits , exclusionary language that may apply to organizations that weren ' t direct targets ( but suffer consequences of a supply chain cyberattack ), or removing the coverage altogether , even if only temporarily .
Undoubtedly , this will continue to be a topic of great interest for ( re ) insurers , regulators , and the broader cybersecurity community as a mere fifteen companies worldwide account for 62 % of the market for cybersecurity products and services . The fallout from this event illustrates the very real public policy tension that exists between the benefits of economies of scale and the risks associated with concentration . We also expect that impacted companies and their insurers will pursue indemnification from CrowdStrike , whose liability remains to be determined .
You can be sure that Coalition will continue to take a nuanced approach to these topics in our efforts to sustainably protect unprotected organizations from increasingly pervasive digital risks . •
Joshua is the CEO and Co-Founder of Coalition . Prior to Coalition , Joshua was the CXO and Head of Special Projects at Cloudflare .
16 KANSAS INSURANCE AGENT & BROKER