Last Friday (July 19, 2024), millions of Microsoft devices were affected when a flawed update was rolled out to users of the CrowdStrike Falcon Sensor product. The fallout from this software update is still ongoing, with the aviation, financial services, healthcare, and retail sectors among the hardest hit.

Speaking to Re-Insurance Business, Tancred Lucey (pictured), vice president at Acrisure London Wholesale, highlighted the “perfect storm” of circumstances as it coincided with the Microsoft Azure outage last week. He said the issue was exacerbated by CrowdStrike’s popularity among mid-sized businesses and large enterprises, while Australia was the worst affected region, due to the timing of the attempted upgrade.

Get the latest reinsurance news straight to your inbox twice a week. Sign up here

What are the risks facing the market?

“From a coverage perspective, we are looking to activate the business interruption insurance provision for CrowdStrike customers whose systems are down,” Lucy said. “But there will be a lot of entities that do business with CrowdStrike customers that may be looking to notify claims under their business interruption insurance provision.

“From an insurance company’s perspective, it is a positive thing to have waiting periods for these two insurance items. These periods may not exceed six hours, but they usually range between eight and twelve hours, and sometimes higher for larger insurers, especially in industries such as aviation, retail and manufacturing.”

He said this would prevent insurance companies from incurring significant losses that could be attributed to the outage. Another positive is that this was not a malicious cyberattack that shut down CrowdStrike, so a patch could be delivered very quickly (within 90 minutes), with many cybersecurity players stepping up their efforts to share workarounds and fix code to enable people to get their systems up and running again as quickly as possible.

What are its implications for the cyber insurance landscape?

Lucy noted that the prevalence of cyberattacks is much higher in large and mid-sized companies that were hit hard by the outage, due to the popularity of CrowdStrike among these size of organizations. He said it will be interesting to see if this event translates into awareness that malicious activity is not the only cyber threat that needs attention and consideration.

“I think what a lot of people will be focusing on is making sure that the internet policy they have or are looking to buy is really fit for purpose,” he said. “This is particularly true in the SME space, where buyers may think they have internet coverage through a bundled policy, but that may not provide a harmless incentive for business interruption cover or extend to third-party providers.

“It takes a strong, standalone cyber policy that addresses both non-malicious and malicious incidents, and covers you for business interruption and, ideally, indirect business interruption… When something like this happens, we hope it will make people think more carefully about purchasing cyber insurance.”

How Brokers Can Help After a CrowdStrike Outage

From a broker’s perspective, he said incidents like the CrowdStrike outage provide an opportunity to demonstrate the value of their expertise. Right now, the focus is on understanding which clients are affected, how much of that impact is there, and how their policies will support them. It’s about addressing the concerns that clients have, but also making sure they don’t focus too much on that exposure, to the detriment of their broader risk profile.

The role of a broker, he said, is to maintain a comprehensive view of their clients’ risks, and ensure that the solutions offered are tailored to the risks they face, rather than a one-size-fits-all approach. Achieving this comes down to truly understanding your clients, their business and their risks.

The CrowdStrike incident shows that a client can make all the right investments in their cybersecurity and still be affected by a power outage. There are certain situations where there is simply not much an insured can do to prevent damage to their operations, so as a broker, it is about guiding them through the incident and taking the opportunity to examine the strength of their business continuity, resilience and workaround plans.

“It’s a really good opportunity to see how their business would respond if they were hit by a malicious attack in the future,” he said. “How quickly would their business get back up and running? How well would their team handle the crisis and initiate emergency procedures? It’s a great opportunity to learn lessons that can be applied to other threats in the future.”

After CrowdStrike, will insurance companies seek to limit their coverage?

As for whether the CrowdStrike outage is likely to lead to insurers implementing coverage restrictions in the future, Lucey thinks it’s unlikely given the state of the online market. He said many markets are comfortable with the controls that insurers had to put in place during a tough market. However, insurers may want to look at underwriters a little more carefully, just to make sure they fully understand the individual points of failure on their books.

Whether it’s having a large number of insureds using the same product, like CrowdStrike’s Falcon Sensor, or relying on the same cloud provider or data center, insurers need to map their exposure profiles. Insurers are expected to look at collecting this information more holistically to try to avoid aggregating potential single points of failure and better understand their exposures.

“I’m sure insurers are already doing this, but I would expect it to be more comprehensive in terms of analyzing the supply chain and service providers for the insured. However, given the current state of the market, I don’t think insurers can start withdrawing coverage, when business interruption and subsequent business interruption are clearly critical coverages for insureds and one of the main reasons for purchasing cyber insurance, along with the breach response services provided,” he said.

Get the latest reinsurance news straight to your inbox twice a week. Sign up here