The recent CrowdStrike outage and disruption to businesses of all sizes has refocused attention on the value of cyber insurance for non-malicious losses. While cyber insurance is known to protect organizations against the financial losses associated with a cyberattack, most cyber policies go further and extend coverage to business interruption loss when technology fails to work as intended. This is called “systems failure” coverage.
See also: Embedded Artificial Intelligence (AI) in Financial Services
What Is Systems Failure Coverage?
Systems failure coverage has been provided by insurance companies under cyber policies for years. This coverage grant provides indemnification for net income loss and extra expenses associated with a degradation or failure in technology – a systems failure – not caused by a cyberattack. Some policies also extend coverage to include dependent or contingent business interruption losses associated with a systems failure. This extends coverage to loss by the insured if a vendor of theirs is affected by a technology failure or degradation, and, as a result, the insured suffers a net income loss or incurs extra expenses.
How Were Companies Affected by the CrowdStrike Outage?
In July, CrowdStrike introduced a faulty software update affecting its users’ ability to run the Windows operating system. Organizations across multiple industries – aviation, healthcare, financial services, even Time Square billboards – experienced the Windows BSOD (blue screen of death), rendering their computers unusable.
The outage even affected organizations that were not direct customers of CrowdStrike, due to the interdependencies that exist in today’s technology supply chain. Hence, organizations that depended on vendors that used CrowdStrike to run their business also suffered from the outage. In both instances, the cyber insurance policy may have been triggered via the systems failure or dependent/contingent systems failure coverage provisions. As such, coverage for lost revenue and remediation expenses may have become available under the policy.
Impact on Cyber Insurance Carriers?
While many saw the CrowdStrike outage as the most significant cyber accumulation-loss event since 2017, that has not proved to be true. Several factors mitigated the potential total insurance cost, which ranges from $400 million to $1.5 billion. To understand how policies may have responded to this event, the following coverage terms should be considered:
- The waiting period must be met. This is 12 hours on most cyber insurance policies.
- The retention (deductible) must be met, which varies by policy based on how it applies in relationship to the waiting period. Approaches fall into the following categories:
- Waiting Period and Retention - After the waiting period elapses, the retention applies to all losses.
- Greater Amount of Loss Incurred – Either the retention or the amount of loss incurred during the waiting period applies, depending on which amount is greater.
- Qualifying Period – Once the waiting period elapses, the retention applies back to the start of the loss.
- The period of interruption, which is a defined term referencing the period from the start of the interruption/degradation through its conclusion, may cite a computer system or network outage only, or may extend to a disruption of “normal business operations.”
- For a vendor to be recognized as a dependent or contingent business under the policy, a contract may be required to be in place between the insured and the vendor.
- Sublimits for dependent or contingent business interruption systems failure coverage became market standard during the 2020-2022 hard market but have largely been eliminated.
While these considerations may have applied to losses from the CrowdStrike outage, many organizations were able to restore their computer systems within a brief period thanks to significant investment in incident response, business continuity, and disaster recovery processes.
Currently, the CrowdStrike outage has not affected cyber insurance pricing. Cyber continues to be a buyer’s market.
See also: An Often-Overlooked Business Interruption Risk
What Can Companies Do to Maximize Recovery?
To make sure they are getting the broadest available cyber insurance coverage, companies should partner with a specialty broker that is an expert in cyber insurance – both from an underwriting and claims’ negotiations perspective. The market for cyber insurance is dynamic, so policies should be reviewed annually. Additionally, companies should use risk quantification and loss modeling, not just peer limits benchmarking, when making decisions on cyber insurance limits.
Given that organizations continue to rely on technology vendors, it is imperative that they carefully review and negotiate contracts, especially with regard to limitations of liability and indemnification provisions. These provisions transfer risk within the scope of the contract, in terms of if and how each party is financially responsible. Companies should also consider which vendors in their technology supply chain are critical to their business operations and contract directly with those vendors.
Lastly, failing to plan often ends badly. Well-drafted incident response, business continuity, and disaster recovery plans can limit downtime. These plans should include a list of information needed to maximize insurance recovery. Plans should be updated regularly, as well as practiced and refined through training that includes all relevant corporate stakeholders.
The Takeaway
A comprehensive approach to cybersecurity involves not only policies, people, and procedures but also regular investments in technology infrastructure and partnerships. Companies should routinely assess their cyber insurance policies and vendor contracts to ensure their balance sheets are safeguarded against technology disruptions. Understanding how much risk can be retained versus transferred via insurance is key, given the variation in policy language. Developing strong incident response, business continuity, and disaster recovery plans is essential to maximize recovery. The CrowdStrike outage should serve as a warning for organizations to up their game and avoid striking out on financial loss recovery.
