On Friday 19th July, a global outage was caused by a defect in a content update to CrowdStrike’s ‘Falcon’ cybersecurity defence software for Windows hosts users. This incident, unparalleled in its breadth, not only exceeds prior cyber events like the 2017 NotPetya attack but may also represent the most extensive network disruption ever documented. The scale of this outage underscores the systemic vulnerabilities introduced by technological failures, emphasising the critical need for comprehensive cyber and Technology Errors & Omissions (Tech E&O) insurance policies.

Impact of the outage

The outage has had significant impacts across various sectors. According to Microsoft, an estimated 8-8.5 million Windows users were affected. More than 2500 flights were cancelled, and approximately 20,000 more flights were delayed. The healthcare industry faced substantial challenges, with professionals unable to access confidential health records. The financial sector was also disrupted, with delays in stock exchange trades and user access issues at banks.

Coverages

The primary coverages to consider in this event are System Failure and Business Interruption, as the incident has been reported as ‘non-malicious,’ making these triggers relevant for a cyber policy. Additionally, a comprehensive cyber policy includes coverage for incident response and data restoration. This coverage is crucial for addressing the losses incurred by businesses as they work to restore their systems and resume normal operations. It is important to review your policy wording and schedule to ensure these coverages are included and applicable to your specific situation.

• System Failure: An inability to access or use computer systems/software due to an event which has caused systems to go down and leading to incurred losses/costs for the failure to work.
• Business Interruption: Loss of income and expenses suffered within the timeframe of the interruption and until restoration. Business interruption typically includes a ‘waiting period’ which is effectively a time deductible and usually ranges from 0-24 hours but can sometimes be longer.
• Dependent Business Interruption: Similar coverage to ‘business interruption’ but looking at it from the perspective of users who are dependent on another business’s services which has experienced the outage, causing a ‘domino effect’, preventing them from having the ability to generate income because of downtime.

Understanding the broader impact

This incident wasn’t the result of a cyberattack from a foreign state or a notorious hacking group. Instead, it stemmed from a trusted cybersecurity leader, showing that even the most reliable entities can experience significant failures. The update from CrowdStrike’s Falcon software caused a global IT disruption, impacting millions and affecting critical sectors including government services, financial institutions, airlines, and healthcare providers.

The rapid identification of the issue and its resolution highlight the resilience of the cyber insurance industry.  Unlike malware attacks, where root cause identification and remediation can be complex, this incident saw a swift response from the insurance sector, with call centres and technical teams activated to support clients.

This event is likely to drive updates in cyber insurance policies and prompt further regulatory and governance changes in cybersecurity practices. It highlights the systemic risk implications and underscores the necessity for the cyber insurance market to adapt and prepare for such widespread risks.

Industry insights and immediate threats

Cyber Security Review reports that cybercriminals have swiftly exploited the CrowdStrike-Microsoft chaos, engaging in phishing attacks and creating malicious domains disguised as outage fixes. This malicious activity exacerbates the impact on already affected organisations, emphasising the need for heightened vigilance and robust cyber defences.

Key insurance risk considerations

• Business Continuity Impact: Assess if the outage has disrupted business operations and the ability to deliver products or services.
• Contingent Business Interruption (CBI): Determine if the cyber coverage extends to include CBI, covering revenue loss due to third-party technology dependencies.
• Systems Failure Coverage: Verify if the policy includes coverage for systems failures, including outages caused by errors without malicious intent.
• Disruption Waiting Period: Understand the required waiting period for CBI coverage activation and the extent of coverage for prolonged disruptions.

Critical Questions for Policyholders

• How does this event impact business customers and their ability to provide products or services?
• Does cyber coverage include contingent business interruption due to third-party technology dependencies?
• Does the policy cover system failures, and what are the specific terms for CBI coverage?
• What is the waiting period for coverage activation, and how long must the disruption last to trigger CBI?

We are dedicated to supporting our clients through this challenging period. Our team is closely monitoring the situation and is ready to assist businesses in assessing their exposure and insurance coverage. We are available to provide advice and support on specific policy coverages and broader cyber insurance considerations.

MNK Re encourages any business concerned about the impact of this outage to reach out for guidance on mitigating risks and understanding potential claims.