CrowdStrike Outage Could Cost Fortune 500 Companies $5.4B

The global IT outage caused by CrowdStrike’s faulty software update could cost Fortune 500 companies $5.4 billion, according to figures from insurer Parametrix.

Last week, CrowdStrike published an update to its security software, only for it to cause systems running on Microsoft Windows all over the world to glitch and completely crash.

Companies across the country were heavily affected, with Parametrix estimating the average loss was $44 million per Fortune 500 company.

In total, one-quarter of Fortune 500 firms were impacted. One hundred percent of airlines were affected, along with 43% of retailers and three-quarters of health and banking sector firms.

Airlines were hit hardest by the outage as planes were grounded throughout the nation. Those delays could cost airlines $143 million, the insurer suggests.

The companies facing the largest direct financial loss will be health care firms. Parametrix estimates the outage will cost companies like Pfizer and Humana around $1.938 billion.

Banking companies are estimated to have lost $1.149 billion. Companies in health care and banking account for 57% of total losses.

‍In contrast, manufacturing, the largest sector by revenue, suffered a loss of just $36 million. Software and IT-related services, excluding Microsoft, were among the least affected. Parametrix does not include Microsoft given the company’s role in the outage. While it didn’t cause the issue, the outage only occurred on devices running on Windows.

Related:CrowdStrike 'Updates' Deliver Malware and More as Attacks Snowball

Credit: Parametrix

However, the portion of loss covered by cyber insurance policies will likely be no more than 10% to 20%, with Parametrix stating many companies have large risk retentions and low policy limits relative to the potential outage loss. 

Parametrix said insurers wouldn’t rely solely on the CrowdStrike event for modeling future cloud-based failures as the outage hit both on-premises applications and those residing in the cloud.

“Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event but also its boundaries,” said Jonatan Hatzor, Parametrix’s co-founder and CEO. “It tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimize the potential impacts of systemic cyber risk.

“However, our analysis does not show the whole diversification picture. A cyber insurer focused on very large companies will certainly suffer a much greater CrowdStrike loss relative to premium than one with a large SME book.”

Parametrix’s report also highlights the disparity in recovery times between traditional industries relying on physical computers and those with cloud-based infrastructures.

Related:Hackers Create Fake CrowdStrike Recovery Resources to Distribute Malware

Cloud-based systems were found to have greater resilience and faster recovery capabilities.