Last Friday (July 19, 2024), millions of Microsoft devices were impacted when a defective update was deployed for users of the CrowdStrike Falcon Sensor product. The repercussions of this software update are continuing to spin out, with aviation, financial services, healthcare and retail among the industries most impacted.
Discussing the event in an interview with Re-Insurance Business, Tancred Lucy (pictured), vice president at Acrisure London Wholesale, highlighted the “perfect storm” of conditions as it coincided with last week’s Microsoft Azure outage. The problem was exacerbated by CrowdStrike’s popularity among the upper-end of the mid-market and large corporate segment, he said, while Australasia was the hardest hit region, due to the timing of the attempted update.
“From a coverage perspective, we’re looking at the business interruption insuring clause being triggered for CrowdStrike clients whose systems have gone down,” Lucy said. “But there’ll be a lot of entities trading with CrowdStrike clients that might be looking to notify claims under their dependent business interruption insurance clause.
“From an insurer’s perspective, it is a positive that waiting periods are applicable on both of those insuring clauses. These can be as low as six hours, but are typically between eight and 12 hours, and sometimes higher for larger insureds, particularly in industries such as aviation, retail and manufacturing.”
This could prevent insurers from incurring significant losses attributable to the outage, he said. Another positive is that this was not a malicious cyberattack, shutting down CrowdStrike, and so a correcting update was able to be delivered quite quickly (within 90 mins), with many across the cybersecurity landscape stepping up to share workarounds and fix codes to enable people to reboot their systems and return to BAU conditions as quickly as possible.
Lucy noted that the penetration rate for cyber is typically much higher in the large and mid-market corporate space which has been the hardest hit by this outage, due to the popularity of CrowdStrike among this size of organisation. It will be interesting, he said, to see if this event translates into awareness that malicious activity is not the only cyber threat that requires attention and consideration.
“What I think will really come into focus for a lot of people, is making sure that the cyber policy they have, or are looking to buy, is really fit for purpose,” he said. “This is especially true in the SME space, where buyers may think they have cyber coverage via a package policy, but this may not provide non-malicious triggers for business interruption coverage or extend to third party service providers.
“It needs to be a robust standalone cyber policy that addresses non-malicious, as well as malicious, incidents, and covers you for both business interruption and, ideally, dependent business interruption… When something like this happens, hopefully, it makes people think more carefully about buying cyber insurance.”
From a broker’s perspective, he said, incidents such as the CrowdStrike outage offer an opportunity to showcase the value of their expertise. At the moment, the focus is on figuring out which clients have been impacted, the extent of that impact, and how their policy is going to support them. It’s about addressing the concerns clients have, but also making sure that they don’t become too fixated on this exposure, to the detriment of their wider risk profile.
The role of the broker is to maintain a 360-degree view of your clients’ exposures, he said, and to make sure that the solutions being provided are tailored to the risks they’re facing, rather than taking a one-size-fits-all approach. Getting that right comes down to really understanding your clients, their business and their exposures.
The CrowdStrike incident shows that a client can make all the right investments in their cybersecurity and still be impacted by an outage. There are certain situations where there’s simply not a huge amount an insured can do to prevent a hit to their operations, so, as a broker, it’s about steering them through the incident and seizing the opportunity presented to examine the strength of their business continuity plans, resiliency and workaround processes.
“This is a really good opportunity to see how their business would react if, in the future, they suffer a malicious attack,” he said. “How quickly is their business back up and running? How good is their team in dealing with a crisis and initiating their emergency procedures? It’s a great opportunity to learn lessons that can be implemented for other threats going forward.”
As to whether the CrowdStrike outage is likely to lead to insurers applying coverage restrictions going forward, Lucy believes this is unlikely given where the cyber market stands. A lot of markets, he said, are comfortable with the controls that the insureds had to put in place during the hard market. However, underwriters may look to scrutinize insureds a little bit more carefully, just to make sure they fully understand where they have single points of failure within their book.
Whether it’s having a lot of insureds using the same product, such as CrowdStrike’s Falcon Sensor, or relying on the same cloud service provider or data centre, insurers need to map out their exposure profiles. He expects underwriters will look at collating that information more thoroughly to try and avoid aggregation of potential single points of failure, and better understand their exposures.
“I'm sure underwriters are doing that already,” he said, “but I expect it will be a bit more thorough with regards to analysing their insured’s supply chain and service providers. However, given the current state of the market, I don’t think insurers can start to withdraw coverage, when business interruption and dependent business interruption are so clearly crucial coverages for insureds and one of the key reasons you buy a cyber policy, alongside the breach response services that are offered.”
