Our risk quantification model shows some good news (but not for Delta Air Lines)
By Erica Eager
A corrupt CrowdStrike Falcon sensor update that resulted in Microsoft Windows system outages worldwide showcases the extent of third-party risk to business operations, especially when a dominant vendor becomes a single point of failure. However, despite the millions of systems that were rendered inoperable until the ‘fix’ could be manually applied, our analysis, using the FAIR Materiality Assessment Model (FAIR-MAM™), indicates that the losses are not likely to be material for most organizations when all the lost revenue, delayed revenue, and external response costs are factored in.
Safe Security and the FAIR Institute developed FAIR-MAM, an open financial-loss model based on Factor Analysis of Information Risk (FAIR), as a tool for businesses to quickly and reliably quantify the impact of cyber incidents. We feed the model on our SAFE One cyber risk management platform with the most comprehensive set of industry standard loss data for proactive loss magnitude assessments. FAIR-MAM post-incident analysis also serves to quantify major cyber events in the news; we publish the findings on the site How Material Is that Hack?.
Impacts of the CrowdStrike/Microsoft Outage by Industry
The industry sectors that appear to have been most impacted by the CrowdStrike update were airlines, hospitals, and commercial banking. While the disruptions were significant for companies with specific software applications dependent on blue-screened Windows hosts, the actual financial impact from lost revenue due to business interruption is not likely to be significant for these sectors as a whole. A small sub sector of individual companies with less robust Business Continuity and Disaster Recovery plans have been taking much longer to recover, however.
Airlines
The number of US flights canceled and delayed and the global ripple effect from the widespread IT system outage is similar to past weather-related cancellations and delays. A little over a year ago, severe weather in June caused approximately 20,000 flights into and out of the US to be canceled over a two-day period. For the first two days after the CrowdStrike update, there were 19,624 cancellations and delays into and out of the US. With the exception of Delta, who apparently had trouble restoring its “crew-tracking” software, the US carriers had essentially returned to normal operations a couple of days after the outage. Delta, however, was still canceling a significant number of flights five days after the outage began, accounting for nearly 70% of all cancellations of flights into and out of the US on days three, four, and five post outage for the top four US airlines.
With the exception of Delta, we estimate the cost to the four top affected US airlines (Delta, United, American and Spirit) from this outage to be less than one might think due to the predominance of prepaid, non-refundable airline tickets. These airlines represented 90% of the canceled or delayed flights among the top US carriers. The daily average revenue for these four airlines is approximately $430 million. Over the first five days of the outage, 14% of the total flights of the top four airlines were canceled, which would translate into a total revenue loss of approximately $300 million over the 5 days. Delta alone accounts for approximately $235 million of this loss. However, since most of the tickets sold by airlines these days are non-refundable because refundable tickets usually are much more expensive, most of the revenue “lost” is actually already captured and therefore not lost. Additional costs related to canceled and delayed flights are not likely to be hugely significant since it costs a lot less for a plane to sit on the ground than it does to fly in the air.
Delta, however, is being investigated by the Department of Transportation after it canceled more than 5,400 flights since the CrowdStrike update blue-screened its Windows systems and could incur a fine. In the face of regulatory investigation and millions of irate passengers severely inconvenienced by Delta’s extraordinary flight cancelation rate, Delta has significantly eased its restrictions on ticket reimbursement and hotel and meals expense coverage for these passengers. Delta has begun refunding customers for the cost of their tickets for the canceled flights as well as 10,000 frequent-flier points worth approximately $100 for those on canceled or delayed flights. The airline has also said it will reimburse customers who submit reasonable expenses for any hotel, meal or transportation expenses incurred while in transit.
We estimate the cost of these submitted reimbursements could approach $100 million given as many as three million passengers could have been affected. Therefore, the total loss to Delta could approach or exceed $350 million, or approximately 7% of Delta’s 2023 annual net income.
Hospitals
Business interruptions for hospitals looked very similar to those experienced after ransomware attacks but with significantly less time and cost to remediate and no loss of Protected Health Information. The primary interruptions for those hospitals affected appeared to be lost access to Electronic Health Records, loss of communications systems, and the compromise of workstations or laptops that required a return to pen and paper to maintain patient services. According to the American Hospital Association, even the hardest-hit hospitals activated backup plans and adjusted workflows while systems were manually restarted. The missed medical procedures amount primarily to delayed revenue, not revenue lost. The difference in response times and workarounds among hospitals would be a function of the sophistication of their Business Continuity and Disaster Response plans.
Financial
The financial sector experienced some interruptions to ancillary services but fundamental trading and money transfer operations continued unabated. Some ATMs were not functioning as Windows is popular among these systems. And apparently there were some delayed wait times for online banking customers in the US and some intermittent service impacts that appear somewhat similar to the effects of DDoS attacks on banking consumers. Losses appear minimal in this sector.
Most of the revenue “lost” by these three industry sectors on Friday falls under the “delayed revenue” category. This means that the revenue that was interrupted due to the accidental system outage was not permanently lost. Rather, they had already collected the revenue and did not have to pay out a refund. For example, Delta issued refunds via e-credit which is not redeemable and will either be used by the customer at a later date or expire. It wasn’t until the Delta outages grew and continued beyond the second day, when the industry as a whole was mostly recovered, that Delta reversed the e-credits into refunds.
Therefore, the majority of the cost of the widespread system outages will consist of IT remediation efforts to manually restore the affected systems to their pre-Falcon update settings. And most of this IT remediation is likely to be done by salaried IT employees; therefore, the cost is generally not considered a component of loss magnitude since their salaries will be paid anyway.
Will Insurance Mitigate These Costs?
The reality is that the damage caused by CrowdStrike is unlikely to materialize into meaningful cyber insurance claims for business interruption. Standard cyber insurance includes Direct Business Interruption coverage for lost revenue/profits from downtime due to a security, operational or system failure of the insured’s own operations, not necessarily at a third-party network service provider.
There are, however, many cyber policies which offer Contingent Business Interruption coverage for downtime caused by an outage at a critical supplier, some of which including coverage for System Failure where the third-party network outage was not directly caused by a security breach as in the case of CrowdStrike. Insureds with this coverage may be able to file a claim with their cyber insurer to cover lost profits due to the accidental outage, but it’s questionable how material lost profits are at this stage, factoring in delayed revenue.
CrowdStrike’s Liability
CrowdStrike is protected by a standard warranty that requires it to provide a workaround for a product defect or to cancel the license and refund the prepaid fee, prorated. State product liability laws might give disgruntled customers some legal wiggle room, however, and healthcare clients with patients affected by the outage could have an argument to supersede the product warranty. On the legal front, plaintiff attorneys are already advertising for a possible lawsuit on behalf of CrowdStrike investors; the company’s share price is down by a third from its 52-week high.
Consumers
The real losers in this supply chain outage are the individual consumers. Travelers whose flights got canceled or delayed are not likely to receive a reimbursement for the cost of their ticket from the airlines since the cancellations and delays were the result of an event that was not in the airlines’ control. Additionally, the stranded travelers have to assume all ancillary expenses like the costs of hotels and transportation to the hotel, meals, and clothes and sundries if luggage was already checked or in transit. Individuals whose medical operations or procedures were canceled by an affected hospital suffered the mental anguish or additional costs associated with such delays. Banking customers were inconvenienced by being unable to get cash or transact their online banking.
The Bottom Line: Get Your Third-Party Risk Management in Order
While the losses from the CrowdStrike outage may not hit material levels, no business wants the drama and expense of a surprise business interruption brought on by a third party. Third-Party Risk Management (TPRM) needs to be focused on risk. Too often, TPRM programs place excessive emphasis on compliance with frameworks of best practices, overlooking assessment of the likelihood and impact of events that can strike even compliant organizations.
It is vital for tech leaders to broaden their assessment of vendors beyond cybersecurity compliance to include areas such as business continuity and operational resilience. Mapping the third-party ecosystem is essential to pinpoint key risks among vendors. By implementing TPRM strategies, organizations can proactively evaluate and address risks related to third-party service providers, ensuring business continuity and resilience in the face of unforeseen incidents.
Learn about Safe Security’s TPRM solution
SAFE TPRM is designed to enable businesses to build, run, scale, and automate their TPRM strategy. With SAFE, third-party risk management is as seamless, efficient, and consistent as managing first-party risks.