A recent global IT outage caused by a faulty CrowdStrike software update has left industries reeling, with insurers facing potential losses in the billions.
The recent global IT outage caused by a faulty software update has sent shockwaves through various industries, including airlines and retail. The financial repercussions for insurers are expected to be monumental, with losses potentially reaching billions of dollars.
The CrowdStrike outage on Friday, which affected over 8 million devices reliant on Microsoft Windows software, has been described as one of the most significant IT disruptions in recent history. The incident grounded flights, left thousands of passengers stranded, and disrupted services across healthcare, banking, and retail sectors.
“Economic damages could reach tens of billions of dollars,” said Nir Perry, CEO of Cyberwrite.
Cybersecurity experts noted that this incident highlighted the systemic nature of cyber risk, demonstrating that even an innocuous software update can cause as much havoc as a deliberate cyber-attack, reported the Financial Times.
Insurers are now facing a deluge of business interruption claims. Ryan Griffin, a partner at McGill and Partners, noted, “Insurers are bracing for hundreds, if not thousands, of claim notifications from organisations impacted by the CrowdStrike event.”
However, not all businesses will be covered for their losses. Marcos Alvarez, managing director of global insurance ratings at Morningstar DBRS, pointed out that typical business interruption policies within regular commercial insurance programmes do not cover losses stemming from IT outages.
Additionally, many cyber insurance policies exclude non-malicious events and have deductibles and waiting periods that businesses must consider before making a claim.
Experts identified two crucial factors that could mitigate the losses. Firstly, most policies include waiting periods of around six to twelve hours before coverage begins. Therefore, companies that restored operations within this timeframe might not be eligible for claims, or their claims could be significantly reduced. Secondly, some policies offer more coverage for cyber attacks than for IT outages.
The complexity of assessing and covering losses from such a widespread IT outage presents significant challenges for insurers. Larger companies, such as airlines and hospitals, may fare better due to negotiated terms and conditions that hold CrowdStrike accountable.
Elizabeth Burgin Waller, chair of the Cybersecurity & Data Privacy practice at Woods Rogers, mentioned that these companies might recover damages from CrowdStrike itself. However, smaller businesses without such provisions may struggle to recoup their losses.
The event has also highlighted the need for more comprehensive cyber insurance policies. “This is exactly what cyber insurance is meant to cover,” said Meredith Schnur, U.S. and Canada cyber practice leader at Marsh. The incident is expected to drive demand for more robust cyber insurance coverage, as businesses recognise the importance of protecting against both malicious and non-malicious IT disruptions.
As the insurance industry grapples with the fallout from the CrowdStrike outage, it is clear that digital transformation and robust cyber insurance policies are more critical than ever. The event serves as a stark reminder of the vulnerabilities inherent in our interconnected digital world and the need for continuous innovation and improvement in cybersecurity measures.