CrowdStrike Incident Casts Shadow On Cyber Insurance
In our latest podcast episode, hosts, Shannon Tynes, Chris Abacon, and Daniel Acevedo tackled a critical topic in the cybersecurity world: the complex and often misunderstood realm of cybersecurity insurance. Our discussion was sparked by an article from MSN titled “CrowdStrike Losses May Be Biggest Test Yet of Cybersecurity Insurance Risk,” authored by Kevin Williams. This incident, involving a significant disruption caused by a quality control issue at CrowdStrike, has brought to light the challenges and uncertainties surrounding cybersecurity insurance.
Warren Buffett’s Perspective: A Double-Edged Sword for Cybersecurity
Warren Edward Buffett, the “Oracle of Omaha”, is known for his sage advice in the investment world. Recently, he expressed skepticism about the profitability and practicality of cybersecurity insurance. His message was clear: only pursue this type of insurance if absolutely necessary. However, as Chris noted in the podcast, Buffett’s remarks might unintentionally dissuade businesses from investing in comprehensive cybersecurity measures, creating a potential risk in how organizations prioritize their cybersecurity strategies.
Chris pointed out, “My first thoughts were like, okay, so he’s advising companies to only sell cyber policies to clients that, to absolutely satisfy clients. So it’s almost like, hey, maybe you guys shouldn’t be selling cyber insurance to everybody.” This cautious approach underscores the inherent risks in the cyber insurance market, but it also raises concerns about misinterpretation by businesses and investors.
Understanding the Unique Challenges of Cyber Insurance
Cyber insurance differs fundamentally from other types of insurance due to the nature of what it covers. Unlike tangible assets, cyber incidents often involve potential losses that are difficult to quantify. As Shannon explained, “What these insurance companies are gonna have to start paying out for is loss of business, right? Potential loss of business… It’s different when it’s insurance for like a natural disaster… You just say, hey, my potential losses were this, right? And then somebody has to foot the bill for that.”
This complexity makes it challenging for insurers to assess and cover cyber risks accurately. The CrowdStrike incident, which involved disruptions in services for airlines and hospitals, exemplifies these challenges. The varying degrees of service outages — from a few hours to several days — highlight the difficulty in determining the financial impact and appropriate compensation for affected businesses.
The Role of Service Level Agreements (SLAs)
It’s crucial to distinguish between cybersecurity insurance and the protections offered by service level agreements (SLAs). Daniel emphasized, “In this instance with CrowdStrike, it was an IT thing that happened, right? It was a bad update… There are service level agreements that exist for goods and services from CrowdStrike that should cover these kinds of things.”
SLAs are agreements between service providers and their customers that outline the expected level of service and the remedies available if these standards are not met. In the case of the CrowdStrike incident, these agreements play a critical role in managing expectations and responsibilities. This distinction is vital for businesses to understand as they navigate their risk management strategies.
The Future of Cybersecurity Insurance
The evolving landscape of cybersecurity insurance demands more stringent vetting processes and clearer policies. As Chris mentioned, we can expect insurers to require a baseline level of cybersecurity measures from their clients before offering coverage. This shift is necessary to mitigate risks and ensure that insurance policies are both sustainable and effective.
Daniel also highlighted a potential issue with how public figures like Warren Buffett influence the cybersecurity narrative: “If it’s not difficult enough as a cybersecurity practitioner… When things like that are said… it makes our life a lot harder to go to bat to fund cybersecurity as a department in a whole.” The implications of such statements can be far-reaching, affecting not only the perception of cybersecurity insurance but also the broader funding and prioritization of cybersecurity initiatives within organizations.
In conclusion, while cyber insurance is an essential component of a comprehensive risk management strategy, it should not be viewed as a substitute for robust cybersecurity practices. The CrowdStrike incident serves as a wake-up call for businesses to reassess their cybersecurity measures and insurance policies. As the sector continues to evolve, staying informed and proactive will be key to navigating this complex and critical aspect of modern business.
Thank you for reading and stay tuned for more episodes of The Other Side of the Firewall podcast on Monday, Tuesday, Wednesday, and Fridays, as well as, the Ask A CISSP podcast every Thursday. Please like, share, and, subscribe.
Stay safe, stay secure!
Ryan is a retired Air Force veteran who brings over 20 years of experience in network infrastructure, project management, and cybersecurity consulting to his current role at BuddoBot. Buddobot’s mission is to support national security by transforming, empowering, and educating organizations to shift from reactive, diluted, automated, and high-cost IT and security practices to proactive, effective solutions that fortify their security.
Shannon, also a retired Air Force veteran, has more than two decades of expertise in network security and vulnerability management. He now serves as an Information System Security Officer (ISSO) for the U.S. Space Force, where he continues to enhance national security protocols.
Chris, a Navy veteran with over ten years in IT, information assurance, and risk management, currently works at CompliancePoint. His roles include vCISO, RMF assessor, and consultant, focusing on enhancing data security and privacy for various organizations.
Daniel is an Air Force veteran with over 15 years of combined experience in IT, cybersecurity, information assurance, and government risk compliance. He has held various roles, including IT administrator, cybersecurity engineer, senior information system security manager, and currently serves as a senior security consultant for Booz Allen Hamilton. In this latest role, Daniel leverages his expertise to address unique and complex challenges in the cyber and IT domains, enhancing his customers’ capabilities.