The biggest test for the risky cybersecurity insurance market yet is the CrowdStrike outage, as warned by Warren Buffett.

• This year, Berkshire Hathaway's top insurance executive, who is also associated with Warren Buffett, cautioned about the possibility of significant losses from cyber insurance policies.
• The CrowdStrike-caused global IT outage will be a significant test for cyber insurance underwriters, with Fitch Ratings predicting that losses will not surpass $10 billion.
• Other cyber policy experts predict that it is too early to determine the extent of claims insurers will face and warn that it could result in a "very unfavorable situation" for insurers.

At Berkshire Hathaway's annual investor meeting, Buffett and Jain issued a warning about cyber insurance, advising agents to only sell policies if necessary and to expect losses.

The difficulty in evaluating the extent of losses resulting from a single event that affects multiple technology systems is a major concern, as Jain illustrates with the example of a primary cloud provider's platform experiencing a complete shutdown.

Not being able to have a worst-case gap on the aggregation potential is what scares us, he said.

The IT outage that occurred due to a quality control issue from cybersecurity firm CrowdStrike seemed prescient when it halted flights and freight, shuttered retail outlets, and caused hospitals to resort to charting on paper.

Since cloud adoption began, insurers have expressed concerns similar to those experienced by CrowdStrike, according to Dale Gonzales, chief innovation officer at Axio.

According to Gerald Glombicki, a senior director in Fitch Rating's U.S. insurance group, the cyber insurance industry correctly priced the CrowdStrike meltdown, and he anticipates it to be manageable rather than catastrophic for cybersecurity insurance firms.

Glombicki stated that the impact of the losses will be significant, but the modeling was mostly accurate. He believes that the industry will handle it well, except for some issuers who may have mispriced their policies.

The industry largely priced in the mid- to high-single billions range for insured losses, according to Fitch's estimate.

The CrowdStrike meltdown was fortunate for the cybersecurity insurance market in that it resulted in no significant physical damages, such as explosions at power plants, dams bursting, or fires caused by overheating equipment, which are becoming a bigger cyberterrorism risk.

Glombicki stated that cyber events with a greater physical impact would be larger in scale and result in significant losses.

Despite being widely used, CrowdStrike's market share, estimated at 17% by Fitch, is significant but limited in overall impact. The companies that did use CrowdStrike experienced the worst impact on businesses that require constant availability, such as hospitals and airlines, according to Glombicki.

The CrowdStrike failure affected different regions at different times, with Australia and Pacific Asia being hit during the business day, while the U.S. was hit during the night or early morning. As a result, many businesses were able to quickly recover and minimize losses.

'A bad situation' for some insurers may still be ahead

The CrowdStrike meltdown may cause a ripple effect in the burgeoning cyber insurance industry, according to Josephine Wolff, an associate professor of cybersecurity policy at Tuft University's Fletcher School.

Wolff predicts that insurers will likely see a significant volume of business interruption claims across all sectors due to the impacts of CrowdStrike, which have been widely covered in the news.

The length of power outages will affect the number of claims filed by businesses. While some companies experienced brief interruptions, others were still grappling with the aftermath days after the outage.

The NotPetya cyberattacks launched by Russia in 2022, which halted much of the world's freight, were compared to the current situation.

While some of these outages were shorter than those seen after NotPetya, the claims may still be smaller in some cases, according to Wolff. However, she notes that the CrowdStrike glitch had a significant impact on businesses, unlike NotPetya.

The cyber insurance industry is likely to experience a significant increase in claims and their size due to the high adoption rates of cyber insurance in the U.S., according to Wolff.

In addition to unequal impact, cyber insurance policies themselves vary widely.

Glombicki stated that cyber insurance policies can vary greatly, with no standardization in terms and conditions, which can differ within a company based on the policy's author.

Expect business interruption claims, litigation

Gonzales stated that insurers are aware of the unique challenges that cybersecurity presents to them, and as a result, they diversify their coverage to minimize losses. Despite the fact that cyberspace and its security are still relatively unknown, Gonzales believes that this problem will not negatively impact the entire insurance market.

Gonzales stated that while the losses won't be as severe as those caused by hurricanes last year, the comparison isn't entirely accurate since there are far more insured entities in hurricane zones than there are cyber insurance policies.

According to Gonzales, the main claims will likely be for business interruption, which some policies specifically exclude. However, he anticipates that the CrowdStrike incident will lead to litigation.

"There will be legal action against CrowdStrike," he stated.

Gonzales stated that fire insurance is well understood by everyone because it has been extensively litigated.

While traditional insurance has established protocols and precedents through litigation, cyber insurance hasn't been litigated enough to do the same.

""Litigation will aid in defining business interruption and third-party liability. The industry requires clarification, and hopefully, litigation resolves it," Gonzales stated. "Cyber incidents are becoming increasingly unpredictable, creating a dynamic environment. However, I believe the CrowdStrike event will not significantly alter how people perceive insurance," he added."

Crowdstrike event could increase interest in cybersecurity and attract more customers, Glombicki predicted. "Boards will be inquiring about it," he stated.