top of page
classroom-with-large-screen-that-says-i-m-teacher.jpg
Concrete Wall

CROWDSTRIKE AND ACCESSING THE CYBER INSURANCE

The CrowdStrike outage impacted most of us in some way or another. But how might it have impacted cyber policies?  We take a look.

If not before, it was necessary for many of us to become acquainted with cyber a few years ago when the UK’s FCA mandated insurers to better understand the cyber exposures from their non-cyber products, and then Lloyd’s insurers were required to expressly clarify, in their policies, the extent to which non-cyber products gave cyber-related coverage (aka “silent cyber”). The reason for this is that cyber cover had and still has the potential to overlap with other policies given it responds to events affecting the Insured’s computer systems. These events may have been caused or contributed to by perils covered under policies or may themselves cause insured events under other policies.

How Cyber is accessed

 

Cyber products can vary a lot  – this may be a consequence of the fact it is still a relatively immature product compared with others. However, many follow a similar pattern and contain up to three gateways to the cover:

  1. Security Failure

  2. Privacy Breach

  3. System Failure 

 

So, you generally need one of these before you can access some cover. It follows that the definitions of these gateways will have a very significant bearing on the breadth of the cover and how often it may be triggered.

Overlaying these gateways are the heads of cover offered: liability claims, investigations, business interruption, breach response costs and so on. You have to match these up with a gateway to see where the cover is. Usually not all covers are given for all gateways.  This may be partly because some covers only really respond to a certain gateway – breach response costs being an example (Privacy Breach) but it is also a way in which insurers carefully control the cover given under the policy.

 

Once you have matched the required head of cover with the right gateway you have accessed the policy and there will be cover subject to any relevant exclusions and conditions that might apply.

 

How about CrowdStrike?

Developing this theme a bit more – how might an outage as a result of the CrowdStrike software update failure impact a cyber insurance policy?

First, some background.

On 19th July 2024, CrowdStrike, a company that provides antivirus software to Microsoft for its Windows devices (among others), sent out an update for its Falcon Security software. This update apparently had a fault in it, which when rolled out, impacted 8.5 million devices worldwide. Those who were impacted were primarily using the Falcon software for Windows Version 10 and above, and it resulted in a system outage and a “Blue Screen of Death” (BSOD) appeared on the impacted systems. This caused an outage crashing millions of systems across the globe.

 

This caused havoc around the world! It caused panic and had a significant impact in many sectors worldwide. Notwithstanding CrowdStrike rushing out a fix soon afterwards, in some cases the disruption to business went on for weeks.

 

The worldwide losses, according to some estimates, have been to the tune of US$10 billion. According to insurance analyst estimates, global insured losses related to CrowdStrike outage have been estimated to be in the range of $400m to $1.5b, potentially making it one of the largest cyber insurance losses ever.

Where is the Cyber Cover?

As stated above, cyber policies can vary considerably and there are regional variations. This will affect whether and to what extent a policy will provide cover in respect of the CrowdStrike incident. The thought process might go a little like this (obviously this is a dumbed-down hypothetical, and the outcome would depend on the actual circumstances of the Insured and the actual wording of their policy):

  1. Check which gateways might apply. Here it was fairly quickly established that businesses suffered no obvious security failure or privacy breach. So, we are left only with System Failure as a gateway to cover.

  2. Apply the System Failure gateway to the relevant head of cover to see if there is a match. Assuming the outage mainly caused an interruption of the Insured’s business, we would be looking at the business interruption (“BI”) cover, if the policy includes it. Does this cover match the gateway (System Failure)? In some policies the BI cover is only matched with Security Failure (ie something done maliciously which breaches the Insured’s security). This would result in there being no cover.

  3. However, in those policies where System Failure is a gateway for BI cover the policy will potentially be accessed so long as the definition of System Failure embraces a failure whose cause was external (ie CrowdStrike). This is because often, System Failure relates to a failure whose cause was solely from within the Insured’s own computer system.  You would need to dig more deeply into the wording and check the definition of System Failure here. Will it embrace an external cause? If Yes, the policy can be accessed and there is cover subject to the BI “Waiting Period” and any exclusions that might apply (such as infrastructure).

  4. If the definition of System Failure does not include where the cause is external, there would be no cover as the definition is not satisfied and so there is no gateway to the BI cover.

  5. Could there be any other relevant cover for a BI loss in the policy? There may still be possibilities if the policy includes “Dependent Business Interruption” which is cover specifically for where a business interruption is caused by an issue in an external business on which the Insured is dependent (ie CrowdStrike). However, if there was no match between System Failure and the Business Interruption cover in the policy (as referred to in (2) above) there is unlikely to be a match between System Failure and Dependent Business Interruption cover either.   

Regional Variations

Most cyber policies in the London market provide BI and many provide Dependent BI as heads of cover. They will also include System Failure as a gateway, however, the cover may not necessarily be matched in the way described above. Further, even if matched, System Failure may be limited to an internal, rather than external, cause.  Given the product variations, the amount of cyber cover provided in practice will often come down to the exact wording, which means that wordings need to be carefully considered by both buyer and seller.

 

Interestingly, in the Indian insurance space, most of the cyber policies do not offer coverage in respect of System Failure in the base wordings.  Generally, in most cyber policies the gateways are either Security Failure or Privacy Breach. However, some insurers do offer BI cover for System Failure as a small sublimit (USD150k to USD 500k), by way of an endorsement. Also, there are a few insurance companies providing other covers in respect of System Failure, but the extent of the coverage is very limited. For some large multinational clients, the brokers have been arranging reinsurance support for this coverage. 

Summing Up

 

Post CrowdStrike, insurers everywhere have been receiving claims notices under cyber policies, mainly for BI (or Dependent BI) due to System Failure, but much covered loss is expected to be under the Waiting Period deductible of 12 hrs to 24 hrs.

With insurers and reinsurers now having witnessed the significant damage that could be caused by System Failure coverage and recognizing the potential for even greater losses in the event of a Security Failure, the insurance industry will be approaching this risk with increased caution. It will be interesting to see whether in the end CrowdStrike causes policies to provide broader System Failure coverage (based on customer demands), or have the opposite effect given the potential losses. 

In conclusion, wherever cyber is provided, cover in respect of System Failure is carefully controlled by markets given the potential for “systemic” losses. The most likely coverage under a cyber policy for BI as a result of the CrowdStrike outage would appear to be where BI (or dependent BI) cover is given for System Failure and “System Failure” includes external as well as internal sources of failure.

 

Produced in collaboration with Oorjita Lath, partner of Okube Advisors LLP

oorjita.lath@okube.in

Okube Advisors LLP was founded by Oorjita Lath (LinkedIn profile: www.linkedin.com/in/oorjita-lath-13a55112). Oorjita has extensive experience in the Financial Lines & Casualty domain, having pioneered the Financial Lines and Liability Insurance space in India. She has also specialized in the Cyber Insurance domain and has been a speaker and author at both National and International forums. Oorjita began her Insurance journey as a Liability Underwriter at ERC Chicago and then at AIG India, and later established the Financial Lines & Liability Vertical for Aon, India. After more than 20 years as an Underwriter and National Head at leading Insurance Broking firms, she launched her Independent Consultancy in 2018. The primary goal was to simplify the complex world of insurance and offer services to Insurance Companies, Insurance Brokers, InsurTech companies, and Corporates. Okube Advisors LLP specializes in Product Development for New Policies, Reviews, and revamps of existing policies to align with current Regulatory requirements and industry trends, Packaged Policies, and Pre-Underwritten policies for the SME sector. The firm also offers Claims Consultancy and other related services. For more information, visit www.okube.in.

bottom of page