Despite advances in cybersecurity solutions, the number and impact of cyber incidents continue to grow, with the average cost of a data breach in 2024 reaching $4.88 million and the number of confirmed data breaches hitting a record high. The July 2024 CrowdStrike incident demonstrates the need to develop capabilities to assess the downstream business impact of cyber events, establish appropriate cyber resiliency objectives, and ensure effective communication for better cyber risk management decisions.
On July 19th, 2024, a single content update from CrowdStrike, a cyber security software company, caused more than 8.5 million systems to crash, disrupting operations for days across thousands of organizations worldwide, including hundreds of Fortune 1000 companies. The CrowdStrike “glitch,” as it became known, resulted in losses estimated to be more than $5 billion. The CrowdStrike incident is estimated to cost insurers around $1.5 billion in payouts, under business interruption, cyber, and system failure coverages. It represents one of the biggest examples of the adverse impact of aggregated cyber risk accumulation. In October 2024, Delta, one of the many affected businesses in the incident, filed a lawsuit against CrowdStrike claiming that the outage was “catastrophic.” They claimed it was the result of CrowdStrike’s “forced untested updates to its customers” and led to disruption of 7,000 flights and 1.3 million customers over 5 days. The airline claimed a loss of more than $500 million.
