Insurers braced for deluge of cyber and BI claims after worldwide IT outage
The IT outage that affected companies around the world last week could lead to an “insurance catastrophe”, according to brokers, law firms and rating agencies.
The tech breakdown was caused by a botched software update by cybersecurity firm CrowdStrike, whose software is widely used in devices featuring Microsoft Windows as an operating system.
This led to outages on a global scale, with flights grounded at airports and television programmes taken off air, while trading was halted on securities exchanges.
The incident also affected public sector organisations, such as hospitals and transport hubs, as well as government agencies.
According to broker Marsh, more than 75 of its clients have already given notice to their cyber insurers that they intend to make a claim.
Meredith Schnur, Marsh’s cyber practice leader in the US and Canada, told Bloomberg that those most affected are CrowdStrike customers.
“We’re trying to triage the situation,” she said. “This is absolutely something that is expected to be covered under cyber insurance.”
In addition to the logistical difficulties that result from a mass-scale outage where thousands of claims are made at once, the CrowdStrike event also highlights the complexity of such claims.
For example, several companies that have suffered indirectly and could be in a position to claim for business interruption (BI) or liability.
This in turn could lead to uncertainty over whether insurers will pay out, something that was seen during the global pandemic and led to a number of cases going to court for a negotiated settlement.
DBRS Morningstar said typical BI endorsements under a commercial property insurance policy exclude losses resulting from a cyber event, such as the CrowdStrike global IT outage. It said losses from an inability to operate IT systems would, instead, typically be covered under a BI endorsement within a cyber policy. But DBRS explained that cyber BI policies usually include a deductible or waiting period of 24 to 48 hours.
According to law firm Mishcon de Reya, risk managers should be “urgently” reviewing their insurance policies to check what cover they have in place and whether they need to notify their insurers of any loss event.
“Insurance policies contain conditions, particularly in relation to notification and actions to be taken following an incident, which must be strictly complied with to preserve the claim under the policy,” read a statement issued by the law firm.
“Delays in notifying insurers could prejudice those claims. Cyber policies will be the most relevant. However, insurance policies covering business interruption and liability to third parties should also be reviewed.”
While there is not yet a consensus on whether claims will be covered by cyber or BI policies, most brokers agree that force majeure clauses will not apply in this case.
“This is exactly what cyber insurance is meant to cover,” said Marsh’s Schnur. “This is not something that is outside of our control.”