CrowdStrike outage not a market-turning event, but a key test of coverage: Experts

By Erin Ayers, Front Page News

The global technology outage on Friday, July 19, might have taken the public by surprise, but not cyber insurance professionals who have long anticipated the potential for non-malicious system failures to impact businesses around the world.

Despite the significant disruption, cyber market experts say the outage fell within the range of cyber scenarios envisioned by underwriters. Insurers and brokers expect to see plenty of claims for direct and dependent business interruption stemming from system failure, and estimates for insured losses range from $400 million up to $1.5 billion.

It’s not expected to be a market-turning event but may halt the slide in price reductions for large corporate clients, say experts. It will also serve as an opportunity to see cyber policies’ approach to system failure in action.

“I think we knew there would come a day when this aspect of coverage would get tested,” said Alexandra Bretschneider, vice president and cyber practice leader for Johnson Kendall & Johnson.

Cyber policies, never known for standardized language, are “all over the map” on wordings for direct and dependent business interruption stemming from system failure, say sources. But the cover has been readily available either built into policies or more typically added as an endorsement, often with full limits due to the softer cyber market conditions. Business interruption coverage is also subject to waiting periods.

“What we have definitely been more and more alerted to is how the policy works and how it’s triggered,” said Nadia Hoyte, national practice cyber lead for USI Insurance Services.

Waiting periods, which typically range from eight hours on the low end up to 24 hours, seem to have been the right strategy for cyber insurers to reduce exposure, according to David Anderson, vice president in Woodruff Sawyer’s cyber practice. CrowdStrike issued a solution relatively quickly, meaning many businesses may have been able to come back online before the waiting periods on their policies kicked in.

“I think the universe of loss is smaller than we think,” Anderson told FPN. “The fix was out, and the fix was pretty doable.”

He added, “Most of the companies that actually suffered greatly … should have already been identified as high-risk by their underwriters. If you thought they were not a good business interruption risk before Friday, you probably had your theories confirmed on Friday.”

Likely losses

That’s not to suggest the economic losses won’t be impactful for affected business. Airlines, hospitals, 911 operators, banks, and other organizations around the world faced the “blue screen of death” when CrowdStrike’s update forced Windows-based systems to repeatedly attempt to reboot.

Microsoft reported the event knocked some 8.5 million devices offline and while CrowdStrike’s fix went out relatively quickly, the outage highlighted the risks of single points of failure.

“CrowdStrike is exactly the kind of aggregation risk that the industry is worried about,” said Sridhar Manyem, senior director of industry research and analytics for AM Best, in a statement. “The interconnectedness of systems was in full display last week and demonstrated how businesses can be brought to a standstill abruptly and on a large scale. This incident is likely going to impact multiple insurers.”

Manyem said Best expects the losses to be an earnings event for insurers, based on the limits and deductibles put out by cyber insurers.

“This is still developing and has the potential to be a contracted claims and legal process and we will be monitoring the situation. This event serves as another example why cyber is such a dynamic market and clients/insurers need to be on top of emerging issues,” he said.

Cyber modeling firms Parametrix and CyberCube each noted in recent reports that insurers focusing on the large corporate market will likely see more claims than those with primarily small to midsize enterprise (SME) portfolios.

Shift in conversation

The event should “refocus” the systemic risk conversation, according to Lindsey Nelson, cyber development leader for CFC. In recent years, the cyber market has been heavily focused on excluding cyber war and state-sponsored attacks from policies.

“The reality is, both war and infrastructure were only subsections of what systemic risk can mean,” she told FPN. “What’s going to be interesting is what people do with the data now and how that informs the underwriting process.”

Non-malicious cyber disruptions have long been on the radar for underwriters, Nelson said, so while the market needs to “take a careful line on blowing this out of proportion,” the event suggests the industry is “well positioned.”

“The product is working exactly as we intended,” she said. “We’ve always looked at non-malicious attacks, always priced the risk accordingly. There were always reserves set aside for this specific type of event.”

CFC, which has both larger corporate clients and SME insureds, was able to identify potentially affected insureds early and reach out to assist, Nelson explained. The market needs to be “a lot more vocal about what we can do to get people back up and running,” she said.

“It reinforces the validity of insurance,” Nelson said.

The CrowdStrike outage and other recent supply chain events also give brokers a chance to have conversations with clients about the “completeness of their risk,” according to USI’s Hoyte.

“It reinforces the need to have a structured conversation around this,” Hoyte told FPN, adding that organizations can ask themselves, “Am I really looking at the risk assessment? Have I just focused on ransomware? Am I missing the boat because I’m not looking at the fullness of the exposure?”

Brokers hope the industry response won’t be exclusions for future similar events or cutbacks in coverage. Customer demand for system failure cover will likely only ramp up.

“This feels like a need,” said Bretschneider. “My hope would be the result isn’t a change in coverage, but we might see a change in deductibles.”

Scrutiny around critical suppliers for the purposes of dependent business interruption will almost assuredly increase, experts agree.

“Brokers will need to refocus and shift conversations around doing the dreaded BI worksheets,” said Hoyte. “It has certainly raised some additional levels of consideration that brokers and insurers alike need to be more mindful of. It brings into the fore how you analyze the exposure.”

It’s a “leveling up” of cyber and will contribute to the market’s growth. The industry needs to stay flexible and always ready for the next risk, she added.

“There’s a cavalier space you have to be in when you’re in cyber because you’re charting the waters for something that is grand,” Hoyte said.

Managing Editor Erin Ayers can be reached at erin.ayers@zywave.com