2024 CROWDSTRIKE OUTAGE:
A TECHNICAL & INSURANCE
PERSPECTIVE
FOREWORD
Thepurpose ofthiswhitepaperis toprovide a clear picture of the CrowdStrike Outage (also knownasCrowdOut)from a technical, financial, andinsurance perspective.
Falcon is a platform developed by cybersecurity software provider CrowdStrike, and used by enterprises and institutions worldwide, including hospitals, banks, and airports. Falcon prevents all types of attacks, including malware, by combining next-generation antivirus, endpoint detection and response, cyber threat intelligence, and managed threat huntingcapabilities.
To respond to the latest vulnerability discoveries, Falcon needs to be updated frequently,up to severaltimesa day. In July 2024, one of the updates provided by CrowdStriketotheirclientscreatedabugin their devices, preventingclients from using them.
With the collaboration of a team of cyber risk engineersand cyber insurance experts, BFL CANADA Cyber Practice is pleased to present this article. Hopefully, it will demonstrate BFLCANADA’s commitmentto support its clientsin theircyberrisk journey.
TECHNICAL REVIEW
On July 19, 2024, at 04:09 UTC, CrowdStrike developers made modifications to a channelfile, leading to an outage affecting 8.5 million Windows devices (computers, servers, etc.).Channelfilesare usedby Falconto group a set of instructions for its agents (also called sensors), dictating how the agents deployed by Falcon on endpoints should operate (i.e. which actions are permitted or blocked on devices). These files are stored on the client’s computer (companies’ computers)andupdated dynamically.
The file responsible for the outage was channel file 291, affecting only devices running on Microsoft Windows 10 and laterversions.
The issue stemmedfrom three primary factors: (1) an attempt to access a forbidden memory area of the system, (2) insufficient testingof the code prior to deployment, and (3) the level of access privileges granted to the Windowskerneldriver.
Theupdatetochannelfile291causedan infinite reboot loop, as the system attempted to access a forbidden memory area on the device, rendering the Windowsterminalunusable.
From a technicalperspective,variables, objects, and data structures are
allocations of memory within computer systems, involving operations such as writing, reading, and executing. During program execution,thesystemreserves specific memory areas, some of which are protected. Any attempt to access these restrictedareastriggersan error.
This was exactly what occurred with CrowdStrike. The CrowdStrike team failed to verify the correct memory allocationandattemptedtowritetoa forbidden address (0x9C). Furthermore, the number of tests conductedonthecodebeforerelease was insufficient, ultimately causing thismajorITdisruption.
At 05:27 UTC on the same day, CrowdStrike issued a fix and provided a solution: delete the channel file (C00000291*.sys). However, CrowdStrike specified that the fix had to be performedmanually,on eachcomputer individually, resulting in a significant workloadfor IT teams.
INSURANCE POLICY
RESPONSE
Cyber insurance has become a vital componentofrisk managementstrategies of many organizations. However, the CrowdStrike outage has raised questions about theextenttowhichcyber-insurance policies can provide adequate protection andresponse.
Understanding Coverage
The key challenge is that the CrowdStrike event is not a cyberattack or breach, and this is where a clear understanding of a cyberpolicy is critical.
While somecyberpolicies maycoverlosses resulting from the failure of third-party service providers, specific terms and conditionscan vary widely from onepolicy to another. Cyber policies that would respond to the CrowdStrike incident are the onesthat include coverage for system failure. This coverage will pay for financial losses resulting from a system failure. A system failure refers to an unintentional and unplanned interruption of computer systems.System failure will not include any interruption of computer systemsresulting from a security breach or the interruption of any third-party computersystem.
A clear indication that many cyber policy holders do not understand how their insurance policies would respond to the CrowdStrike event is the number of notifications andclaims receivedby insurers (policy holders who either did not have the dependent system failure coverage or thoughtthat thiseventwouldbe coveredby theircyberinsurance).
So far, theCrowdstrikeincidentis3timesless claimedthantheMoveItdatabreach (2023) and 2 times less than the Charge Health cyberattack (2024).
Deductible Limitations
One of the specificities of the business interruption coverage within a cyber policy comes from the waiting period deductible. Waiting periods are set by insurers but can, andshould,benegotiatedbyallInsuredsand brokers.
Generally, they vary between 8 to 24 hours. Too many policy holders underestimate the value of properly defining the appropriate waitingperiods.Sincethismetricisexpressed in hoursand not in dollars, it is often difficult toselect therightchoiceandtranslateit into the relatedfinancialvalue.
A systematic measure to carry out before accepting/selecting the waiting period wouldbe to evaluatethefinanciallossesincurred foreach hourof business interruption arising from the non-availability ofeach critical system.
With respect to the Crowdstrike event, most of the impact and losses were incurred within the first 8 to 24 hours. This means that most of the financial losses fall under deductibles since the average waitingperiodin apolicy is 12 hours.
MARKET IMPACT
So far, the estimated insurable loss for theinsurance marketstandsat 1.5 billion, which is notenough to create a significant impact on the insurance and reinsurance markets. In comparison, the table below shows the greatestlosses duetocyber incidents in economic terms (not
terms).
CyberCube,BFL CANADApartnerin cyberexposure quantification, estimatesthat the July 19 event could cause between $400 million and $1.5 billion in insured losses, representing3–10%ofthecurrent$15-billion global cyberinsurance market.Thiswould makeitthelargestcyberinsurancelossin thepast 20years,althoughit isstill lesssevere than extremescenariosmodelledby insurers. While theeventin itself is significant, it is notas damagingaspotentialextremecases.It will, however,provide valuable datafor refining risk models. The impact on individual insurers will vary depending on their specific portfolios andcoverage details.
For instance, recovery time for systems can vary significantly, which impacts how business interruption coverage applies. Waiting periods or time-baseddeductibles for such coveragetypically rangebetween8and12 hoursbut can vary anywherebetween 6 and 24 hours. Recovery duration differs widely between large and small companies due to their varying IT remediation capabilities and the complexity of their IT infrastructure.
Loss Estimates as a Percentage of Global GWP for Global Cyber Market
OUR FORECAST FOR THE 2025 CYBER MARKET
Based on our discussions with domesticand London markets, BFL CANADA forecasts limitedimpact of theCrowdStrikeincidenton keycyberinsurance marketmetrics(see table below).
Market Access
How easy can a company (given its Industry and size) get cyber insurance withalowlimit
Underwriting
What controlsare required by Insurers
Market Capacity
Howeasycan an Insuredaccess higher limits
Premium
How much an Insuredpaysforitsrisk
Still, BFL CANADA anticipates that carriers would review their financial modelling and underwriting guidelines with a focus on cybersystemicrisks. It would mainly impact Insureds during the underwriting process, with some limitations on coverages or additional exclusions in the policies depending on the insured cyber profile. Indeed, the CrowdStrike incident would translate into additional requirements, mainly revolving around third-party risk management, from insurance carriers for 2025:
ITvendorselectionprocess
IT vendors(Tier1minimally)
IT chain value assessment
IT vendorcontrol Overtime,these requirementsmay extend to non-IT vendorssince some cyberpolicies cover losses arising from their failure and theycan also be thesource of a breach or businessinterruption.
To address the limitations of current cyber insurance policies, several considerations arenecessary:
Broader Coverage: Insureds should expandtheircoveragetoincludeawider range of cyber risks, such as service provider failures, supply chain disruptions,andreputationaldamage.
Improved Risk Assessment: Insureds should invest in advanced risk assessment methodologies to better understandtheevolvingnature of cyber threatsandaccurately price policies.
Tailored Policies: Insurers should offer more tailored policies to meet the specific needsofdifferentindustriesand organizations.
IncreasedTransparency: Insurersshould provide greater transparency regarding policy terms and conditions, including exclusions, limitations, and coverage limits.
