Will 19 July 2024 go down in history as a day of IT disaster and global IT meltdown? The answer to that question is: ‘It is simply too early to tell’.
The insurance press and certain Information Technology (IT) focused news providers are painting a grim picture. One particular online journal mentioned financial loss in the small billions of dollars.
Others have been saying ‘It is the most important cyber accumulation loss event since NotPetya’.
Those affected by the event include airlines and healthcare providers. We have seen that airlines were unable to check in passengers as a result of not being able to access their own computer networks.
The disruption was magnified if your business used Microsoft software products because the Crowdstrike failure adversely affected any firm using Crowdstrike products in conjunction with Microsoft. So, the fallout was not limited to just the Crowdstrike application. This is an important element to understand if we are to gain a greater appreciation of what might have happened last week.
As with many things in life we need to dig beneath the surface to gain a greater insight into what happened and then attempt to understand what this all means for those businesses that might have purchased a cyber insurance policy. Firstly, this was not a malicious event, it was indeed an accident. Crowdstrike issued a software patch to its customers which contained a software ‘bug’. This bug caused computers to crash and become inoperable. For those business that do not run a Crowdstrike application then they may have avoided any financial loss. However, if their business relied upon outsourced IT service providers who do run a Crowdstrike product then your business may have been affected. Further, if your business relies heavily upon a supply chain of other non-IT businesses that supply you with products and services then you might have been affected too.
When looking at your cyber insurance policy there are several questions that need to be answered.
Does your policy cover you for business interruption and loss of business income? If the answer to that question is affirmative then you need to know if the loss of business income coverage covered you for ‘security failure’ only. Some insurance policies covering loss of business income are only triggered by a ‘security failure’ which in this context means a malicious event. Since this was not a malicious event your policy needs to cover you for ‘system failure’ which means an accident affecting your computer network.
We need also to look further into the extent of the business interruption coverage. This falls into two categories, firstly dependent business interruption where your business relies upon outsourced IT providers. Again some policies cover security failure only for outsourced IT providers. Others would include coverage for both system failure and security failure. After looking at that your attention should be directed to non-IT dependent business interruption. Again this element of coverage is triggered by security failure and not always system failure. Many, possibly most, policies do not cover any non-IT dependent business interruption.
Lastly, most business interruption coverages respond after a ‘time waiting period’. This means the disruption to your computer network or the network of a dependent business needs to last for a number of hours before coverage applies. Historically time waiting periods were 10 or 12 hours but recently we have seen some policies have an eight hour waiting period before coverage applies.
Many firms who have been affected by the events of Friday 19th July will likely incur costs to ‘rebuild’ parts of their computer network. All policies that we have seen cover the policyholder for costs and expenses to restore and or recreate damaged data including software applications and programmes. Typically, these coverage responds excess of monetary deductible or retention.
Furthermore, if your firm was unable to provide product or services to your customers as a result of events on Friday 19th July then you may be exposed to unintentional breach of contract claims which may be covered by own professional liability or technology errors and omissions insurance policies.
We do not believe you will find any coverage in London in a traditional property policy for the events of 19 July as we see cyber exclusions in those policies.
Many cyber policies include coverage for reputational harm consequent upon an adverse media report. Damage to a reputation can lead to loss of business income. This financial loss may extend way beyond that of Crowdstrike but also to those firms that have Crowdstrike products in their environment if indeed such firms incurred disruption to their own operations.
The events of last week also serve to expose that digital accidents do happen and that cybersecurity solutions are not bullet proof. This may turn out to be a widespread event and that will inevitably lead to conversations with insurers as to realistic disaster planning scenarios and how insurers need to be prepared for these eventualities.
Crowdstrike are a major service provider to businesses so the impact of the failure of the upgrade/security patch may not be felt for some time. There are reports of 8.5 million devices being affected (Zywave Cyber Front Page News). Our Cyber specialists are here to help, get in touch with any of the team below to find out how we can support your insurance needs further.