We recently told you how one cyber insurance expert predicts the massive CrowdStrike-caused IT outage may change the cyber insurance industry, including by boosting demand for coverage of non-malicious losses, or non-criminal claims, such as business interruptions cause by software failures. The recent NetDiligence Cyber Claims Study 2024 (see our summary of other findings here) includes data on the trends in criminal versus non-criminal claims from 2019 to 2023. The report shows non-criminal incidents have been a relatively small, but costly, source of claims in recent years (with the percentage of non-criminal claims higher at larger companies than small/medium).
Criminal Claims
NetDiligence notes criminal claims occur far more often and are more expensive:
High Frequency and Cost: Criminal claims, which include hacking, ransomware, phishing, and business email compromise (BEC), dominate the cyber insurance landscape. For SMEs about 97% of all claims since 2019 have been related to criminal activities. The average cost for criminal incidents was significantly higher compared to non-criminal incidents. For example, from 2019 to 2023, the average criminal incident cost SMEs $207,000.
Non-Criminal Claims
Lower Frequency but Still Costly: Non-criminal claims, such as system glitches, software programming errors and lost devices, made up a smaller portion of total claims, but they still contributed significantly to overall losses. From 2019 to 2023, non-criminal claims at SMEs averaged $129,000 in costs.
So is the CrowdStrike disaster a harbinger of increased losses from non-criminal claims? We think it’s too soon to tell, but there’s no doubt the incident demonstrated how large numbers of enterprises can sustain substantial losses from just one software mistake, or a hack with similar properties. Get the NetDiligence report here.