CrowdStrike outage to cost $44m per Fortune 500 company, report

A quarter of top US firms were hit by the update blunder

New data from cloud insurance firm Parametrix sheds light on the financial cost of the massive CrowdStrike outage last week that affected millions of Microsoft devices.

The massive CrowdStrike outage that affected millions of Microsoft devices is predicted to cost US Fortune 500 companies $5.4 billion in total direct financial loss, with an average loss of $44 million per Fortune 500 company, according to new data from cloud monitoring and insurance firm Parametrix.

The healthcare industry could see the largest direct financial loss suffered by Fortune 500 health providers at $1.94 billion, followed by large banking companies at $1.15 billion.

The New York-based insurance services company said insured losses from the outage will total from $540 million to just over $1 billion for the Fortune 500 companies.

"Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries," said Jonatan Hatzor, CEO of Parametrix, in a statement.

"It tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimise the potential impacts of systemic cyber risk."

Parametrix's analysis of the CrowdStrike event is based on over 54 billion data points as well as direct monitoring of real-time service status of 6,000 tech businesses, including a large portion of the Fortune 500.

One of the biggest industries hit during the CrowdStrike-Microsoft outage was airlines.

The issue will cost six of the Fortune 500 airlines approximately $860 million, according to Parametrix.

Software and IT-related services companies will take a direct financial loss of $560 million, while retail and wholesale Fortune 500 companies will take a $470 million loss.

On the other side of the coin, the manufacturing industry suffered the least amount of financial loss at $36 million in total across 130 companies.

Parametrix said the portion of the financial loss by Fortune 500 companies under cyber insurance policies is likely to be no more than 10% to 20%, due to many companies' large risk retentions and to low policy limits relative to the potential outage loss.

The analysis report excluded any losses from Microsoft.

Key findings from CrowdStrike-Microsoft outage analysis

One-quarter of the Fortune 500 was impacted, according to Parametrix, which comes to 125 corporations.

This includes 100% of airlines in the Fortune 500, and 43% of retailer and wholesaler companies. About 67% of health and banking sector firms suffered direct costs.

Parametrix said beyond such primary financial losses, CrowdStrike's impact on critical services resulted in a cascade of operational delays affecting the Fortune 500 companies and their downstream entities.

"Quantifying these risks is important. This involves measuring the potential financial and operational impacts of downtime or failures within your bundled solutions," said Hatzor.

Traditional industries relying on physical computers experienced longer recovery times, which underlines the resilience and rapid recovery of cloud-based systems, according to the data.

Parametrix uses proprietary IT to continuously monitor the performance of a variety of third-party IT services across the globe and to collect data on service interruptions.

"Prevention is important, but risk carriers have limited control over event occurrences and service provider practices," he added.

"The industry should focus on controllable areas, like mapping and managing aggregation risk. By understanding these points, we can evaluate key exposures, and mitigate both malicious and no-malicious threats. This proactive approach enables better underwriting decisions, and effective risk-transfer solutions to manage systemic risk."

This article was first published on CRN.