EXPLORING THE IMPACT OF IT OUTAGES ON INSURANCE COVERAGE

In my last article, Did Travel Insurance Respond to the Recent Outage? Let's Reflect, I discussed how travel insurance responded to the CrowdStrike IT outage. Now, let's discuss the other cover/s.

Background        

CrowdStrike's recent IT upgrade involved a faulty software update that inadvertently affected the performance of Microsoft Azure and Office 365. This issue led to widespread operational disruptions across multiple industries. According to Microsoft, approximately 8.5 million Windows devices globally were affected, which is less than 1% of all Windows machines.

How did it happen?

The IT outage was not caused by a cyber-attack or a malicious system failure, nor was it directly Microsoft's or the end users' fault. Instead, a non-malicious, faulty update and misconfiguration in the system by CrowdStrike led to significant downtime, service disruptions and productivity losses, underscoring the critical reliance on reliable IT infrastructure for seamless business operations.

While the outage lasted for about +/-75 minutes, the recovery time for many end users needed much longer than one day due to the complexities involved in deploying a fix. This led to massive losses across multiple industries.

?

This raised the question: will the IT outage trigger cyber insurance claims for end user customers, MSPs, or MSSPs?

?

Key Players in the IT Outage?        

1.????? End User – Airports companies, banks and other businesses that rely heavily on IT infrastructure for their operations.

2.????? MSPs (Managed Service Providers) and MSSPs (Managed Security Service Providers) – Providers such as Office 365 and Azure, which were directly impacted by the outage.

3.????? CrowdStrike – A company that accepted responsibility for the faulty update, opening itself up to potential litigation.

?

Cyber Insurance        

According to FBC Holdings Limited , Cyber Risk Insurance provides coverage for liabilities arising from unauthorized use of or access to, electronic data or software within your network or business.

In some insurers, coverage includes but not limited to:

1.???? Insured own losses/ First Party Loss Primary losses to include Business interruption losses and Dependent business

2.???? Electronic Financial crime and fraud

3.???? Crisis Management expenses and notification expenses

4.???? Claims and investigations against Insured

5.???? Property Damage

6.???? Other Third Party Liability

?

Understanding the Types of Interruption Coverage.

Before we discuss further, it is important to clarify the difference between Business Interruption Losses and Dependent Business Interruption. These are distinct types of coverage in my opinion and below is how l define them:

• Business Interruption Losses: Covers business income loss and extra expenses incurred due to a computer network outage affecting systems internally managed by the IT department.
• Dependent/Contingent Business Interruption: Refers to coverage for insured losses resulting from a business interruption caused by a disruption or degradation of service from a third-party service provider.

Examining the Activation of Cyber Insurance

According to Reuters, insured losses from the July 19 event may cost between $400 million and $1.5 billion to the standalone cyber insurance market. This raises the question of which types of coverage will be activated.

Many companies may be surprised to find that they are not covered, as cyber insurance policies are typically designed to address cyber-attacks/security Attack specifically. Without an actual cyber attack, coverage may not be applicable.

?

PRIMARY CYBER INSURANCE LOSS        

Cyber insurance for the SSP and end users

End users, SSP and MSSP’s may try to activate the below covers.

1. Non-damage hardware — replacement (bricking)
2. Property Damage
3. Contingent/Dependent business interruption – Service interruption due to the third party insurance?
4. Liability Insurance – Lawsuits’ for instance an airline for flight cancellation
5. Business interruption, etc

In summary, cyber insurance is in three parts:

1. First-party cover
2. Silent cyber cover
3. Third-party cover.

?

Property Damage and Non-damage hardware replacement (Bricking).

Property damage and Bricking is a form of “Silent Cyber” emanating from a German steel mill in which a furnace was destroyed after hackers took control of the furnace system and the company operators at the plant were unable to shut down a blast furnace in the proper modus (Just Imagine a cyber-attach on the new Hwange Power station). ?Physical damage to IT hardware can be experienced because of continues shutdowns of the machines in trying to reboot leading to overheating or making the equipment unusable.

Currently there is a no to little physical damage because of the IT outage recorded. However if your Cyber insurance does not cover property damage, the insured can claim such a loss from the property insurance provided that the policy is not affected by the Lloyds of London Cyber Incident Exclusion.

?

Interruption Insurance

As to date, l think we can all agree that the IT outage was due to a non-cyber-attack, the service interruption had no attended property damage (Non-damage business interruption) and both the end user and the middle users had no control to the system failure. This will cause a lot of problems as most companies will not be covered as the trigger event is non malicious instead of a cyber-Attack as some insurers exclude non malicious or specifically exclude software design flaws.

However, some insurance policies cover non-malicious risk hence claims will be filed under the "systems failure". The contingent business interruption under Cyber insurance will be the correct cover on this policy; Business Interruption Losses coverage typically applies when the insured's own systems are directly affected by a covered peril. In this case, the direct cause of the interruption was CrowdStrike's faulty update not an internal issue within Microsoft's own systems or the end user. It is also important to note that the CBI/DBI is not a standard cyber insurance policies, it is rare and in the event that it is offered, it is very much limited cover. ?The application of coverage will be dependent on the waiting period within clients’ cyber policies as well as the coverage trigger negotiated within the wording. The language in the policy wording has to be correct for instance:

?However, determining the final losses for the industry will likely be a lengthy process because cyber insurance policy language is not standardized. Insurers will need time to ascertain which customers experienced losses from the outage and whether those losses are covered. This global outage highlighted the broad risks posed by a single point of failure and the extent of interconnectivity and interdependence across many economic segments, drawing comparisons to supply chain cyber-attacks.

?

?

SECONDARY CYBER INSURANCE LOSSES        

Because of the ongoing mass global outage, cyber criminals have taken advantage of the situation and are now

1. Sending phishing emails as if they are Crowdstrike employees
2. Distributing a malicious ZIP archive loaded with HijackLoader payloader which has a malware
3. Phishing phone calls

The above losses now have a cyber-attack trigger and they follow the normal conventional cyber insurance

?

COVERAGE FOR CROWDSTRIKE        

Technological Errors and Omissions/professional liability cover.

This insurance covers claims arising from errors or omissions in the provision of technology services. It includes issues such as coding errors, software bugs, project delays, data breaches, breaches of contract and other professional failures. Given that the mistake originated from CrowdStrike, all affected entities through Microsoft may pursue indirect claims against CrowdStrike for monetary relief, potentially through a class-action lawsuit. To proceed, some of the following facts must be established and steps taken:

?

1. Negligence - Determine if CrowdStrike was negligent in their actions.
2. Breach of Duty -Establish whether there was a breach of duty by CrowdStrike.
3. Contractual Obligations - Assess if the contract between the parties involved was violated.
4. Indirect Claims - Consider if end users, SSPs, and MSSPs can sue CrowdStrike indirectly.

Some cyber insurance combines the Tech E and O cover as per below:

?

Factors that will limit the number and size of claims:

1. Insurance Policy Limits/Sum Insured
2. Deductible
3. Policy Waiting periods in hours
4. Insurance Policy Exclusions
5. Contractual Limitations and Liability Caps – For instance contractual Mitigation Obligations OR Consequential Damages Liability Exclusion etc.
6. Language used in the insurance policy wording
7. Timing? of the outage - off-peak hours or on weekends

?

Important Note:

Insured

This article highlight the crucial need for proper insurance to support your tech business as you navigate emerging risks, innovate with your business models, and disrupt industries. Don't let unexpected digital disruptions affect your financial health. Businesses without adequate safeguards can suffer significant revenue losses while trying to keep operations running smoothly. Remember, cheap insurance products often offer limited coverage. Contact your insurance broker for a thorough analysis of your insurance requirements.

Insurers

As more equipment are controlled by computers and connected to networks, the risk of property damage from a cyber-event increases. Property policies are increasingly excluding or limiting coverage for this risk, affecting both direct damage and business income/extra expense losses. Solutions may be offered by property insurers, equipment breakdown insurers, and cyber insurers.

When developing a solution for a specific business, it is crucial to thoroughly review all policy language to minimize gaps and overlaps. Where overlaps exist, it is important to ensure that the other insurance clauses clearly indicate the intended priority of coverage.

Questions to Ask Yourself as an Insurer:

1. Why did Berkshire Hathaway take a cautious approach to cyber insurance? They stated they are very careful when taking on cybersecurity insurance liabilities.
2. Are you underwriting cyber insurance simply because it’s currently fashionable? This risk has limited historical data, lacks standardized frameworks and operates in a dynamic environment.
3. When underwriting property insurance, companies conduct surveys similar to those in agricultural business. This is feasible because they employ specialists with the necessary skills to perform extensive risk assessments. However, for cyber insurance, most insurers rely primarily on the proposal form and do not conduct in-depth technical surveys to thoroughly examine the insured's systems and processes. Do you really want to take liability on a policy that is underwritten based on self-assessment questionnaires?
4. etc,,,,

I will discuss cyber insurance in more detail in one of my upcoming writings.

Warning:

Any advice provided in this article is of a general nature and has not considered your needs and objectives.