The Crowdstrike Outage & Cyber Insurance

I wanted to write an article about the recent Crowdstrike outage and its implications on Cyber insurance policies. This outage was unprecedented and is a wake-up call for system failure risk. We have had this wake-up call moment with other types of risks, particularly privacy breaches. We must now grasp the scale of the loss, and consider the possible consequences of future outages.

Background

In a nutshell, the Crowdstrike outage was a result of a coding error in a software update distributed to Crowdstrike clients. It only affected businesses using Microsoft operating systems. The number of machines impacted was estimated to be 8.5 million.

Note: I am proceeding with my thoughts (below) on the basis that the outage occurred due to what we will call “system failure” or “human error” rather than “malicious activity”. This is based on publicly available information.

Policy Analysis

As we know, Cyber insurance policies are not homogeneous. This complicates the analysis of different covers which was certainly the case with my examination of various policy wordings relating to this outage.

Several of the policies I reviewed appeared to, “broadly” speaking, provide cover for this type of outage – but if they did, it was limited to specific sections only. I will get to that shortly. Firstly, I need to make clear that I only examined policy wordings. Endorsements that modify, restrict, or broaden policy terms and conditions could be attached to these policies as well. Additionally, individual policy schedules also need to be reviewed carefully.

As I’ve already stated, several of the policies I reviewed had some form of cover for this type of outage. The terms used were either “system failure”, “system error”, “human error”, “programming error” or another term that could be associated with this type of outage (I will refer to these as “non-malicious triggers” for simplicity). How such covers are triggered however is not consistent, as language, particularly relating to the “causes” and “effects” of  these “non-malicious triggers”, varies amongst insurers.

Importantly, in the policies that I examined (and appeared to provide cover), these “non-malicious triggers” only tied-back to the following sections:

  • Business Interruption cover (BI) – which is not always an Automatic Insuring Clause/Automatic Extension and may be sub-limited
  • Contingent or Dependent Business Interruption cover (CBI) – which is often only an Optional Extension and generally sub-limited (when available/selected)

Examples

Let’s consider a couple of examples relating to the BI and CBI covers mentioned above.

Business Interruption (BI)

The first example, is your insured suffers a direct loss of revenue as a result of an outage (like the Crowdstrike one), which directly affects their computer system causing downtime and a loss of revenue. BI coverage sections of several policies, if available/selected, should respond to this scenario (after the waiting period has passed). Check policies / policy schedules carefully though, and as always, any cover is subject to the normal terms and conditions of each policy.

As a footnote to this example, depending on the policy, an insured’s IT service providers’ computer systems can be considered part of the insured’s computer systems or be considered separate from their systems. Also, an insured’s losses arising from their IT service providers’ computer systems may be included in BI coverage sections, if available/selected, or, may be included in CBI coverage sections, if available/selected, instead.

Contingent Business Interruption (CBI)

The second example is your insured’s computer system is not directly affected by the outage, but rather, one of your insured’s suppliers’ computers systems is. The effect, as with the first example, is that your insured suffers loss of revenue, but this time due to their supplier’s outage. CBI coverage sections, if available/selected, could respond here (after the waiting period has passed). Check policies / policy schedules carefully though, and again, any cover is subject to the normal terms and conditions of the policy.

You will notice that I used the word “could” above. This is because who is considered a “supplier” in the policy (or by endorsement) is of critical importance here. As already mentioned in the BI example above, some policies will cover their insured’s losses relating to their IT service providers’ computer systems in the BI coverage section or the CBI coverage section (or not at all). Some CBI coverage sections can go a step further in that a “supplier” can also be a non-IT service provider. Note: other common cyber policy terms used in place of “supplier” are “supply chain partner” and “outside service provider”.

After considering these BI and CBI examples, it is important to remember that the following factors could have dire consequences on businesses:

  • The nature of the loss and who is affected by the loss
  • Whether BI and/or CBI covers are included/sub-limited. If they are, whether “non-malicious triggers” losses are included/sub-limited in these covers
  • How long the outage lasts
  • The length of the Waiting Period (excess) which could vary depending on the nature of the loss

This is why it is so critical for brokers to review these covers and their limits / sub-limits with their clients.

Other Losses

One also needs to consider that such an outage could initiate, contribute to, and/or exacerbate a cyber-attack to an already vulnerable business. One can imagine birds of prey (threat actors) circling around an injured animal (the already affected business) looking for an opportunity to use the outage as a springboard for a cyber-attack on them. Robust Incident Response Plans can help here.

Exclusions, Restrictions & Restrictive Language

The final part of my analysis relates to Exclusions, restrictions and restrictive language.

An Exclusion that I consistently found across the policies I examined was, what we will call, an “Infrastructure / Utility Exclusion” which generally excludes losses / claims from outages or failures of power, internet, telecommunications, water, gas and sometimes more – depending on the insurer.

This type of exclusion is necessary for insurers to avoid systemic risk. It does however leave businesses heavily exposed to uninsured losses, should such an “infrastructure / utility” provider suffer an outage or failure. Again, check policies carefully and endorsements that I am not aware of could modify, broaden, or further restrict cover here.

In addition to the Exclusion listed above, the following restrictions / restrictive language was observed in some insurers’ Definitions (rather than in “Exclusions” sections of policies):

  • Cover for a “non-malicious trigger” under a BI section but a requirement for a “malicious trigger” to be the cause for the CBI section to respond
  • Cover for a “non-malicious trigger” but a restriction for design failure in a third party’s software
  • Cover for a “non-malicious trigger” but a restriction relating to services agreements with third parties (I am not referring to common Assumed Liability / Contractual Liability Exclusions here)
  • Cover for a “non-malicious trigger” but only when arising from an accepted program (and the cause of this outage may not fall into this category)

Again, check policies carefully and endorsements that I am not aware of could modify, broaden, or further restrict cover here.

Conclusion

It remains to be seen how cyber claims departments will view Crowdstrike- associated losses in the context of the areas I have discussed in this article, and beyond. It will also be interesting to see if restrictions / exclusions are added to policies as a result of this incident. Aggregation of risk will be another concern that insurers will be closely considering and monitoring.

There are a few positives that we can take away from this event:

  1. It has made us realise how susceptible we are to outages and this will force key parties into action
  2. As reported, this outage was not caused by malicious actors
  3. It provides brokers with further opportunities to discuss cyber risks and insurance with their clients

On a final note, it is foreseeable that Cyber insurers who respond to their Insureds’ losses / claims, which emanate from this outage, will seek to recover against Crowdstrike, and others, for their error. As such, one hopes they have the appropriate insurance policies, limits, and balance sheet to deal with the aftermath of this outage.


Disclaimer: The information provided in this article is not, and is not intended to, constitute legal or financial product advice. It is intended to provide general information in relation to the topic being discussed which is only current as at the date of this article.

Please note that the topic discussed in this article, and many others, are more thoroughly examined in our ANZIIF / NIBA accredited training modules delivered in-person or live on-line. In addition to our modules, we also conduct training on specific topics and mentoring services to insurance professionals. Given my 18 years of broking experience I thoroughly understand what brokers do and am passionate about imparting my knowledge and experience with you. I hold a Master in Risk Management & Insurance and am also a qualified trainer. I would love to assist you with your training needs.