A recent global IT system crash caused by a CrowdStrike Falcon sensor update has ignited significant discussions on cybersecurity practices, vendor accountability, and the implications for cyber insurance.
CrowdStrike, a leading cybersecurity firm based in Texas in the US, released an update for its Falcon sensor on 19 July, causing system crashes on Microsoft Windows systems worldwide.
According to CrowdStrike’s website, the company supports nearly a dozen security and IT tools and partners with about 300 Fortune 500 companies, six of the top 10 healthcare providers, eight of the top 10 financial services firms, and eight of the top 10 technology firms.
The CrowdStrike Falcon platform protects endpoints, cloud workloads, identities, and data through real-time attack indicators and threat intelligence.
On 19 July, at 04:09 UTC, the sensor configuration update triggered a logic error, resulting in a system crash and blue screen of death (BSOD) on affected Windows systems. By 05:27 UTC, the issue was resolved. However, any systems that had downloaded the update between these times experienced crashes. The update did not affect Linux or MacOS systems.
Microsoft estimates that 8.5 million Windows devices were impacted. The crash had widespread effects because of CrowdStrike’s presence in critical services. The air travel industry saw more than 3 000 flight cancellations and nearly 24 000 delays. In healthcare, some US emergency call centres were affected, and elective procedures and medical visits were disrupted. The British healthcare system experienced issues with appointment and patient record systems. Financial institutions faced login problems and trading delays in the US, while South American banks struggled with unstable digital services.
ITWeb reported that companies in South Africa were not significantly impacted. A survey showed that 57% of local chief information officers reported no effect from the CrowdStrike outage, while 43% experienced issues primarily with their Microsoft systems. Despite the disruptions, 96% of affected PCs were back online shortly after, with the remaining expected to be operational within a few days.
CrowdStrike chief executive George Kurtz announced on LinkedIn last week that more than 97% of Windows sensors were back online as of 25 July, emphasising the firm’s dedication to restoring all affected systems.
A turning point?
In an opinion piece on TechCentral, Stephen Osler, co-founder and business development director at local cybersecurity specialist Nclose, described the global outage as having “sent shockwaves through the tech world”.
He explained that the incident’s significance stemmed from the scale of the software deployment and CrowdStrike’s possession of a Microsoft Kernel-Mode Code Signing Certificate, which allows quick deployment into the core of the operating system. While IT vendors often deal with problematic files, the severity here was unprecedented because of the kernel-level integration, making recovery particularly difficult.
Osler noted that the outage had sparked intense discussions about cybersecurity practices, vendor accountability, and the risks of centralised IT services.
“This incident could be a turning point for our industry. Vendor accountability, testing, and third-party risk management all come into play. The CrowdStrike outage has opened a can of worms, and only in the coming weeks will we be able to answer key questions about it,” he said.
Insurance implications
Aon, a global professional services firm that provides a range of risk, reinsurance, retirement, and health solutions, recently provided a briefing on the CrowdStrike incident.
Aon urged companies to assess their third- and fourth-party exposure to this incident.
“Even if your organisation was not impacted or has been remediated, there may be external parties your organisation relies on that remain affected. Understanding those relationships is important. Companies should have a proactive plan for gaining visibility across the supply chain in addition to considering scenarios that may impact operational resilience of the supply chain,” Aon advised.
According to Aon, because the incident is reported to be non-malicious, “system failure” coverage within cyber re/insurance policies is the key loss trigger.
Business interruption, including loss of income and extra expenses because of system failure, is expected to be the most affected area, subject to waiting periods.
Dependent business interruption, data restoration, incident response, and voluntary shutdown costs may also contribute to re/insured losses.
“At the individual risk level, Aon expects this event to trigger greater attention to system failure coverage grants and business interruption waiting periods.
“At the portfolio level, Aon sees this event as an opportunity for the market to react by improving granularity on codifying policy information important for understanding portfolio accumulation risks stemming from certain coverage grants, to allow more nuanced event loss estimation and accumulation scenario analysis.”
Aon stated that this incident is likely to be the most significant cyber accumulation loss event since NotPetya in 2017.
“However, the overall loss quantum is currently uncertain and will primarily depend on the prevalence of coverage for system failure, which varies across the market, and the duration until successful manual remediation at each affected insured, versus the applicable waiting periods on their cyber policies.”