News

SINGAPORE – The financial cost of that affected airlines, banks and media outlets on July 19 is estimated by market analysts to cross US$1 billion (S$1.4 billion), with more than 49 million people affected. But this is just the tip of the iceberg, even as businesses recover and count the costs. that issued a faulty software update that saw some 8.5 million Windows devices crashing, faces an uphill battle to regain investor confidence and goodwill from the public. Already, CrowdStrike’s share price has dropped by 17.95 per cent between July 15 and the Nasdaq 4pm closing on July 19. Perhaps in anticipation of having to foot huge payouts, insurers have seen their stock drop after the incident. London insurer Beazley’s stock price dropped 3.95 per cent over the same time period. Global insurer Allianz’s share price dropped 1.25 per cent since July 17, though it showed signs of recovery when markets opened on July 22. The exact cost of the outage – and who picks up the bill – is expected to take weeks to determine. But in one of the earliest impact reports, risk management software provider Interos estimated that the outage directly affected over 674,600 enterprise customers and more than 49 million customer relationships indirectly. Based in Virginia, Interos services major organisations including the US government, and this includes monitoring supply chain issues of global logistic networks comprising millions of companies from the database it has built. CrowdStrike’s Falcon Sensor anti-virus program is mostly used by enterprise clients. That explains why the fallout was massive when its software update brought down 8.5 million Microsoft devices, which Microsoft said accounted for less than 1 per cent of all Windows machines. Companies worldwide, including airlines, banks and media outlets, reported disruptions to their services and operations. In Singapore, services at Changi Airport and Singapore Post were among those affected. “Virtually no industry was left unaffected by this outage,” said the Interos report, which identified almost 1,200 unique industries directly supplied by Microsoft or CrowdStrike. Giant US retailers such as Walmart and Target, key financial institutions in the US and EU such as Bank of America and Goldman Sachs, and major energy companies like ExxonMobil were among the impacted businesses that in all served tens of millions of customers globally. The July 19 report said the US was the most affected country, accounting for 41 per cent of impacted entities worldwide. European countries, including Britain, France and Spain, made up for nearly a third of all entities affected. The outage could continue to have widespread spillover effects as CrowdStrike’s cyber-security platform is used by nearly half of the US’ largest cities and 82 per cent of the US state government, including the Department of Defence and intelligence agencies, said Interos. “The disruption was also felt at major ports and air freight hubs in Europe and Asia,” Interos said, adding that recovery could take weeks as thousands of air freight flights were grounded or delayed. US carriers American, United and Delta had grounded flights and faced a backlog of administration to match affected passengers to new itineraries, even a day after the outage. In Singapore, the outage had a lesser impact than it did in other nations. The most visible disruption was at Changi Airport, where more than 40 flights were delayed and check-in processes had to be done manually, resulting in snaking queues. Budget airline AirAsia was among the airlines hardest hit and resumed electronic check-ins only on July 20. All its systems hit by the outage were , and AirAsia said it is assisting customers who were affected at the weekend. Mr Raymond Teo, cyber leader for PwC South East Asia Consulting, said that for many businesses, the downtime caused by the outage could have led to a loss of revenue, service quality and customer confidence. He told The Straits Times: “The economic loss to impacted organisation can be significant, and this is further compounded by an industrywide outage.” Mr Patrick Anderson, chief executive of Michigan research firm Anderson Economic Group, said costs could easily top US$1 billion. His assessment was based on estimates of an earlier hack at software company CDK Global, which serves US car dealerships, that was said to have cost US$1 billion despite being restricted to just one industry. “This outage is affecting far more consumers and businesses in a way that ranges from inconvenience to serious disruptions and resulted in out-of-pocket costs they can’t get back easily,” Mr Anderson told CNN. More than 75 clients of global insurance brokerage Marsh provided notice to their cyber-insurance providers about potential claims related to the incident, Bloomberg reported. However, even if a business affected by the outage has cyber insurance, claiming damages due to the outage is not so straightforward as it depends on the terms of the policy. There are three things to look out for in the insurance policy: how the coverage is worded, the waiting period, and the sublimits. The CrowdStrike outage could be considered a non-malicious event, such as a technical glitch or human error. While insurers do provide coverage for non-malicious events, it may not be uniformly applied across all policies, said Mr Simeon Tan, co-founder and chief technology officer of Singapore-based cyber risk management firm Protos Labs, which has an insurance arm called Protos Cover. “They would have their own specific wordings... So these things may be excluded or written differently depending on what and how the insurer crafts its product,” he said. “If an outage lasts only a few hours, but the policy has a 24-hour waiting period, the insured entity may not be eligible for a claim.” “Even if the policy covers the type of incident in question... there might be a sublimit on coverage for business interruption losses caused by non-malicious outages, which could significantly reduce the payout,” he added. Corporate insurance agent Glenford Tan said affected businesses may also pursue their claims against CrowdStrike as a professional indemnity or product liability issue. “You have to look at it from the lens of CrowdStrike and the stakeholders downstream. If CrowdStrike made a human error in the upgrade, it would be construed as a professional indemnity issue and any third party which suffered financial losses may sue CrowdStrike for the losses they suffered,” he said. “If it was a product failure, such as an unforeseen behaviour of a software product that resulted in damages to third parties, then the appropriate cover would be a product liability cover that responds on behalf of CrowdStrike.” Third parties that plan to bring lawsuits against CrowdStrike would have to prove they have suffered a loss that can be legally documented or defined before they can sue CrowdStrike, he added. When contacted, DBS said its corporate cyber insurance underwritten by Chubb covers ransomware attacks, cyber extortion and business disruptions due to widespread cyber events. “Depending on the incident, companies may be able to claim for business interruptions or restoration of data lost to a cyber issue,” its spokesperson said.