Editor's Note: This is Part 2 of a two-part series. Part 1 can be
The damage estimates from the CrowdStrike outage are still coming in as companies ascertain their losses, however, insurer Parametrix puts the total loss assessment for Fortune 500 companies at $5.4 billion. Actual insured losses are anticipated to fall between $.054 billion and $1.08 billion finds Parametrix in its impact analysis of the event.
"Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries," said Jonathan Hatzor, co-founder and CEO of Parametrix in a press release. "It tells us more about the ways that insurers and reinsurers can diversify their cyber risk portfolios to minimize the potential impacts of systemic cyber risk. However, our analysis does not show the whole diversification picture. A cyber insurer focused on very large companies will certainly suffer a much greater CrowdStrike loss relative to premium than one with a large SME book."
In an email to Digital Insurance, Hatzor says, "The primary policies likely to be triggered by the CrowdStrike event are cyber insurance policies, specifically under non-malicious events coverage. Relevant triggers will fall under dependent business interruption or system interruption. This event serves as a case study demonstrating how such systemic events can impact multiple lines of insurance. Travel insurers, for example, have already been affected by flight delays. We still need to evaluate the impact on various insurance lines, including disrupted supply chains, liability coverages for critical medical procedures that were delayed or not performed, and directors' and officers' liability for failing to protect their firms against such events."
Hold harmless and other service agreements between CrowdStrike and its customers could also affect what losses are covered.
"The terms of the agreements between the parties could play a significant role, including because they likely have indemnity provisions, and possibly have limitations on liability and insurance requirements," explains attorney Dan Healy, a partner in Brown Rudnick's litigation and arbitration practice, in an email. "To the extent the provisions apply to what happened in this incident, the provisions could be a basis for or a limitation on the involved parties' liability."
Early in the chaos of the event,
"Based on media coverage and the ripple effects of this outage, the loss, and thus the potential liability, liability appears to be immense," advises Healy. "It does appear that CrowdStrike reacted quickly and there are reports that the issue was isolated and contained. It may be that those steps already have mitigated the loss and CrowdStrike may cite its efforts in that regard to lessen its culpability in disputes that lie ahead. But the fact that thousands of businesses worldwide were effectively shut down from performing some or all key functions suggests significant liability."
The role of subrogation
While insurers will be the initial payors for many of these losses, there will be opportunities for subrogation against CrowdStrike and any other companies involved in building out the failed update.
"There is little doubt that many will look directly to CrowdStrike for financial restitution or – at minimum — technical assistance given their apparent, albeit non-intentional negligence with the Falcon software update misfire," shares Jeffrey Batt, CUO and head of cyber for Pera in an email. "That said, MSAs typically cap liability, and although CrowdStrike will have some protection around aggregation, the sheer scale of the impact will be costly in terms of doling out service credits, providing out-of-band IT support to impacted clients, and so on. Same with Microsoft on a different level, although they will likely look to CrowdStrike for restitution of losses at some point. I'm also separately aware of a warranty that CrowdStrike has in place relating to software malfunction, so this could be impacted as well."
"To the extent that affected businesses do not have a direct relationship (contractually) with CrowdStrike for the software and services at issue, subrogation could be an issue. There also may be layers of affected businesses and, potentially, intervening conduct that caused or enhanced the effects of the loss. These multi-layered scenarios can always potentially give rise to subrogation and indemnity arguments. Consumer and customer claims could add a further layer," explains Healy.
"Insurers may explore subrogation rights to recover compensation from CrowdStrike," adds Hatzor. "However, given that CrowdStrike's Service Level Agreement (SLA) is likely to be well-crafted, with limited liability to the paid subscription, it is doubtful that significant recovery will be achievable."
Chris Tidball, an experienced claims consultant, says that much of the chaos could have been prevented with more testing. "They should have rolled this out to a limited pool of users first, which they didn't do. That's the safe approach to avoid this type of mess."
Part of the challenge of subrogating the travel claims involves how airlines and other travel entities reimburse their customers. Edward Jordan, an industry operations executive, explains, "Say, AIG pays a claim and then they go to subrogate let's say the travel insurance. It was something caused by the airline and when they try to subrogate for that money back, you find that insured, the passenger, had received travel credits instead of cash. If he receives cash, it still somehow has to make it back to that policy, and that's where chasing individuals on this becomes hard because you can't get reimbursed for the loss and receive credits from the airline."
Unlike claims for a wildfire or hurricane, which are limited to specific geographic areas and allow insurers to pool resources, the claims from the IT outage are global and will tax some of the claims teams for carriers.
"This is an unfortunate event, but one the cyber insurance market has anticipated," shared Meredith Schnur, U.S. & Canada cyber practice leader at Marsh in an email. "While some claims may be more straightforward, cyber CBI claims are more complex and will take time to resolve. Forensic accountants will likely play a crucial role in assessing and quantifying the financial impact on a business' operations and revenue streams."
Timothy Wirth, executive general adjuster at Sedgwick believes that "the industry will potentially struggle to respond in a timely manner to the volume of claims requests but claims professionals and companies with the necessary expertise and capacity will be able to address any need and are prepared for this. However, it will take IT professionals time to support businesses as they get back up and running, and customers will have to have conversations with their vendors before claims are submitted. I expect that by mid-August, the number of claims will have increased substantially."
"Managing complex business interruption claims will be challenging due to the limited number of Cyber Third-Party Administrators (TPAs). This situation will test the market's ability to step up and deliver the coverage promised to customers without resorting to exclusions or dramatically changing coverage terms," adds Hatzor.
Batt likens the claims scenario to the NotPetya attack. "Big picture, I envision a claims scenario that drags out in a way somewhat similar to the aftermath of NotPetya back in 2017, when some entities made claims notices on property and other insurance policies with limited to no dedicated coverage for cyber events, thus leading to litigation around coverage intent and resulting delays."
Lessons to be learned from this event
While speed and agility are definite benefits in a connected world, this event also highlighted some of the risks of interconnectedness.
Adam Denninger, global insurance industry leader at Capgemini says in a statement, "This type of event highlights the fragility in the multi-party, often multi-cloud ecosystems most insurers have moved to — fragility that most insurance leaders don't even know is there. I do not believe there is a way that business executives at any carrier would willingly accept a technology solution for their business that is this fragile, however, they generally have no idea these types of fragility exist, until there is a dramatic event."
"This incident is a significant wake-up call for the industry," says Hatzor. "Cloud services accumulation was unmanaged and inadequately accounted for in many models and realistic disaster scenarios (RDSs). For example, travel insurance models did not anticipate a global flight cancellation and delay event, highlighting the need for more comprehensive modeling."
Sedgwick's Wirth foresees possible intervention or attention from regulators. "I fully expect that regulators will step in and emphasize that an event of this kind cannot happen again, and that there is a crucial need for diversity in these arenas in terms of the companies that are providing these kinds of services. As this regulatory landscape evolves, contractor diversity will be paramount and will lead to a more robust and responsive system."
Tidball says that CrowdStrike and anyone else with deep pockets will be the focus of any lawsuits emanating from this event. Healy finds that while there were no reports of a breach or a hack, plaintiffs lawyers can be very creative, "and given the breadth of affected businesses and people, lawsuits can be expected."
Like many complex incidents, there will be a long tail to these claims as more information becomes available and losses are tallied.
See more:
