Incident & Breach Response , Security Operations
CrowdStrike Outage Losses Will Hit Healthcare, Banking Hard
$5.4 Billion in Losses Estimated for 500 Largest Public US Firms - Except MicrosoftThe healthcare and banking sectors are set to record the largest direct losses in the United States as a result of the global disruptions caused by a faulty CrowdStrike software update crashing Windows systems.
Analysis from cloud outage risk modeler and underwriting agency Parametrix Solutions estimates that 125 of the 500 most profitable publicly traded U.S. firms suffered disruptions and will collectively see $5.4 billion in direct losses. That estimate does not include direct losses that Microsoft might experience as a result of helping to remediate the problem.
Parametrix said that while about half of the Fortune 500 appear to use CrowdStrike's Falcon endpoint detection and response software, only about one-quarter of them appeared to experience serious disruptions.
The weighted average of losses varies by industry, ranging from $6 million for a manufacturing firm to $143 million for an airline, Parametrix Solutions said. Total losses for healthcare firms will reach an estimated $1.9 billion, and for banking firms, $1.1 billion. "Companies in these sectors take 57% of the loss, but account for only 20% of Fortune 500 revenues, due to the uneven impact of the event on business sectors," the company said.
Estimated losses for six publicly traded Fortune 500 airlines will reach $860 million, representing 0.46% of their collective annual revenue of $187.1 billion. A company spokesperson said the analysis excluded Microsoft since the impact on Redmond includes "very significant intangible losses, making Microsoft's financial and insured losses out of scope."*
The global outage caused by Russia's 2018 NotPetya malware attack is estimated to have cost $10 billion.
Only Partial Insurance Coverage
Cyber insurance policies will likely cover no more than a sliver of the losses - perhaps 10% or 20%, if anything - "due to many companies' large risk retentions, and to low policy limits relative to the potential outage loss," Parametrix said.
Legal experts say lawsuits tied to disputes over insurance compensation for the outages could take years to work through the courts.
Losses nonetheless will add up to a "big loss" for cyber insurers, Jonathan Hatzor, co-founder and CEO of Parametrix, told S&P Global.
When it comes to business interruptions, "it's pretty hard to prove financial loss and it takes time to really see if you manage to recover or not," Hatzor said, adding that claims tied to the February ransomware attack against UnitedHealth Group's Change Healthcare unit, which also caused massive disruption, are only now beginning to be filed with insurers.
Full 'Root Cause Analysis' Promised
Microsoft on Saturday said 8.5 million Windows hosts appear to have been affected by the faulty update. While some systems can be recovered via rebooting, many more require hands-on, manual intervention by IT teams. Both Microsoft and CrowdStrike have released free utilities to assist.
By Wednesday, IT asset management tracking platform Sevco Security reported 95% service restoration among its customer base, up from 93% on Monday, leaving an estimated 425,000 systems in total still to remediate.
"The slow progress clearly reflects the tedious, manual remediation procedures," said J.J. Guy, CEO of Sevco Security, in a post to LinkedIn.
CrowdStrike has promised to release a full "root cause analysis" into the outage. The vendor issued a preliminary report Tuesday, saying the outage traced to a faulty update that its existing test procedures failed to properly diagnose. The update crashed Windows PCs, servers and virtual servers running the Falcon EDR software, consigning them to an endless loop of crashing to a Windows "blue screen of death" and rebooting (see: CrowdStrike, Microsoft Outage Uncovers Big Resiliency Issues).
The company also detailed a number of promised testing, monitoring and software distribution improvements it plans to make.
What long-term impact the outage might have for CrowdStrike is yet unknown, either in terms of retaining or attracting customers, or the value of its stock price (see: CrowdStrike's Response to Outage Will Minimize Lost Business).
Before the outage, the company was valued at about $83 billion and said on its website that it worked with 538 of the Fortune 1000 companies.
"We continue to work with impacted customers to fully restore their systems," CrowdStrike said Monday in a Form 8-K filing to the U.S. Securities and Exchange Commission. "This is an evolving situation. We continue to evaluate the impact of the event on our business and operations."
Republican members of the U.S. House Committee on Homeland Security on Monday sent a letter to CrowdStrike CEO George Kurtz, requesting that within 48 hours, he schedule a time to testify before the Subcommittee on Cybersecurity and Infrastructure Protection.
"While we appreciate CrowdStrike's response and coordination with stakeholders, we cannot ignore the magnitude of this incident, which some have claimed is the largest IT outage in history," Chair Mark Green, R-Tenn., and committee member Andrew Garbarino, R-N.Y., said in the letter. "In less than one day, we have seen major impacts to key functions of the global economy, including aviation, healthcare, banking, media, and emergency services."
Separately, Rep. Ritchie Torres, D-N.Y., called on the U.S. Department of Homeland Security to investigate the outage, Politico reported. On Monday, he promised to introduce legislation to codify the U.S. Cyber Safety Review Board, telling The Hill that the legislation would ensure "no future presidential administration could abolish it."
"CrowdStrike is actively in contact with relevant congressional committees," a spokesperson for the Austin, Texas-based endpoint security giant told Information Security Media Group. "Briefings and other engagement timelines may be disclosed at members' discretion."
*Updated July 25, 2024 19:16 UTC: Adds comment from Parametrix Solutions about Microsoft's exclusion from the analysis.