It’s less than a month since CrowdStrike’s global IT outage hit millions of devices, grounding planes and impacting the operations of businesses of every size and industry. Early reports into the incident underscored the risks associated with digital supply chain interconnectedness, impacting not just CrowdStrike’s direct customers – many of whom are Fortune 500 companies – but also their third-party networks, affecting unrelated sectors.
The insurance company Parametrix has estimated the damages resulting from the days-long cyber incident at approx. US$5.4 billion. Meanwhile, recent analysis from Guy Carpenter has estimated the insured losses to range from US$300 million to US$1 billion, with the reinsurance broking giant also reporting that less than 1% of companies with cyber insurance globally were affected.
The question for insureds and their brokers now is whether the coverage is available under the scope of their cyber and property damage/business interruption insurance – and what steps they need to take to ensure compliance with notification provisions and other claims conditions.
At the root of answering these questions is the nature of the incident, and its classification as a systems failure rather than a malicious attack. “A lot of affected policyholders will not have systems failure coverage,” noted Joanna Grant (pictured) – who was made managing partner at Fenchurch Law in May of this year. “Most standard cyber policies are designed to cover malicious attacks, that’s unauthorised access to systems and hacking. Systems failure coverage is absolutely available, but it is much more targeted to the more sophisticated end of the market.
“That end of the market has suffered some of the biggest losses we’ve been reading about in travel, healthcare and financial services but equally, they’re the most likely to have systems failure cover in place. The other big aspect of this is around the waiting periods and the extent to which impacted businesses were able to get up and running again in that window.”
The shakedown is going to be working out which policyholders with this type of cover also had outages that extended beyond their waiting periods. What is clear is that some claims are to be expected, and some of those will be large in nature. However, the success of these claims – as always in insurance – will come down to the detail of the wording, which specific systems failures are covered and whether there’s a match to the specific event in question.
“I think where the jury is still out, is whether the wordings will be sufficiently clear as to where there is and isn’t cover, claims will be paid out and we may not potentially see a large volume of disputes down the track,” Grant said. “It’s too early as of now to give a view - but I certainly would expect some disputes, especially where there is ambiguity around the extent of cover. And if we’re seeing claims of a sufficiently high value, that puts us squarely in the territory where one could expect to see some disputes.”
First and foremost, it’s critical for insureds to make sure that they’ve done everything necessary to preserve their cover from the get-go of any insured event. As such, policyholders need to be closely checking their policies – both their property damage and business interruption policies and their cyber policies to see what coverage they have in place. “If it looks like there’s cover,” Grant said, “they need to ensure they’re complying with any of the notification conditions and the claims conditions in the policies.
“Certainly they’re going to need to be mitigating their losses so far as possible, by getting the systems up and running again. They need to be making sure they’re keeping accurate records and documenting the sequence and the chronology of events. An obvious example is that they’re going to have to evidence that their losses extended beyond any waiting period. They’ll also potentially need the assistance of forensic accountants or other loss assessors in quantifying their loss so that they can evidence that in support of their claim.”
It’s in the event of an incident such as CrowdStrike that the role of the broker really comes into play, not just as a front-liner provider of support and insight but also as the gateway to helping insureds access timely guidance and expertise.
Brokers, who might otherwise have been expecting a quiet August, will be tasked with helping policyholders comb through their policies and determining whether or not they have cover that is likely to respond, and what to do next if they do. “It’s the broker who will help them along every one of the necessary steps towards bringing that claim together, so they can put their best foot forward,” she said. “And by following the right steps, it’s brokers who give their clients the best opportunity to have those losses covered.”
