Insureds urged to review policy wordings after CrowdStrike

Event highlights nonmalicious cyber exposures

Cyber insurance buyers should review their policies, particularly wordings related to business interruption exposures, to ensure they are adequately covered for events like the recent CrowdStrike outage, experts say.

While cyber liability insurance losses are often associated with hacks and ransomware attacks, the systems failure caused by a faulty update from cybersecurity software provider CrowdStrike last month demonstrated the potential for losses from nonmalicious acts.

In its post-incident review, US-based CrowdStrike said that on 19 July it released an update for a Windows sensor used in its system.

“These updates are a regular part of the dynamic protection mechanisms of the Falcon platform. The problematic rapid response content configuration update resulted in a Windows system crash,” the company stated.

The software failure affected many industries, including transportation and manufacturing companies. As the number of notices of loss continue to grow, insured loss estimates have topped $1bn.

The incident provides lessons for the risk management community, from coverage issues to response planning, sources said.

While cyber policies often contain coverage for nonmalicious acts and such coverage is widely available, policyholders should be sure about contract language and limits, said Allen Blount, New US national cyber practice leader at Risk Strategies.

“It is sometimes a coverage that’s overlooked,” Blount said. In addition to ensuring that nonmalicious acts are explicitly covered, policyholders should check that their full limit applies because some insurers may sublimit such coverage, he said.

Business interruption claims related to the CrowdStrike incident may prove complex and lengthy, sources agreed.

Meredith Schur, US and Canada cyber practice leader at Marsh, said the most common question she has faced is whether cyber insurance covers an event like this. She said notices of loss continue to be issued by policyholders.

Because there is such variation among forms in the commercial cyber insurance market, policyholders may be faced with differing accounting methods for losses under business interruption coverage.

“You can pick up five different policies and read the business interruption or contingent business interruption coverage in all of them, and they will all look different,” Schnur said. Policyholders must “understand the extent of that coverage and how it varies”.

Rory Egan, London-based head of cyber analytics for Aon’s reinsurance solutions division, said: “We’re starting to get a picture of the sort of footprint of the event, but I think what will take longer, and much more than a couple of weeks, will be on the quantum of loss.”

One factor influencing the size of the total insured loss among companies that bought systems failure coverage is the waiting period applicable.

“Can they start counting from the fourth hour of disruption or the 12th hour or the 24th hour? That’s going to be a determinant on where we end up in terms of lost quantum at a market level,” Egan said.

Some policyholders likely got up and running again before they exceeded the time retentions in their policies, said Brian Gillin, managing director for the US East region at Aon.

Coverage for nonmalicious acts is “generally included” in most larger, more sophisticated commercial cyber insurance programmes but is not universal, he said.

“As more and more data comes out about how sizable some of the losses were for particular companies, it’s going to cause others to reevaluate what they are currently buying and potentially buy more,” Gillin said.

Elisabeth D. Case, global product manager, cyber, for Liberty Mutual Insurance, said that every company should have a business continuity plan in place, regardless of cause, that focuses on what is needed to get a business back up and running. Practicing and holding drills for the programme should be part of the approach, she said.

In the event of a malicious attack, data can be encrypted, there might be a ransomware demand, and there may be exfiltration of data, potentially triggering multiple portions of a policy and requiring different recovery experts for the different exposures arising out of the event, Case said.

With a system failure such as the CrowdStrike incident, “it’s a matter of just restoring the network, the operations, and getting back up and running,” she said.

This article first appeared on our sister website Business Insurance. For further news from Business Insurance, please click here.

Back to top button