Editor's Note: This is a developing story and will be updated as more information becomes available. Part 2 of this series will examine the subrogation and legal issues surrounding this outage.
The advent of the largest IT outage in history caused the technology of numerous industries to topple like dominoes as they lost the use of their computers and other critical tools. Airplanes were grounded, passengers were stranded, courts were closed, hospitals performed only necessary surgeries and even some news organizations had to improvise to stay on the air.
The impetus behind the collapse was a software update that cybersecurity firm CrowdStrike released for its Falcon platform to various Windows systems. The update triggered an error, crashing the Microsoft Windows systems and affecting an estimated 8.5 million devices. However, it did not affect Linux or MacOS systems.
As companies lost the use of their systems around the globe, it was pandemonium as airlines lost the ability to check-in passengers and luggage at airports, delaying and canceling flights; businesses lost the use of their cash registers and access to electronic files; banks and their customers had login issues; health care providers couldn't check in patients or access their records; and even trading on the New York Stock Exchange was delayed at times.
CrowdStrike CEO George Kurtz apologized for the disruption and said that many companies found that rebooting their systems helped to restore service, but the damage was already done.
As businesses begin to recover and assess the damage, a key question is what will the impact be to the insurance industry as companies and consumers seek to recover some of their losses from this outage? It has not been identified as a cyberattack, but cyber coverage could certainly be one of the policies involved.
"The incident outage has potential to hit several different insurance policies and could go on to become a contract dispute between a corporation and its IT provider," shares Bernard Regan, a principal with Baker Tilly's Forensics, Valuation and Litigation Services practice. "With cyber insurance, there may be cover within these policies related to 'dependent system outage.' This effectively means that if you have a third-party providing IT services, and they are affected, then your cyber insurance policy may trigger. If this is the case, then the cyber policy would likely provide cover for costs in relation to data/system restoration and business interruption. If a company could not operate 'as normal' and there was a direct causal link to lost revenue or interruption to revenue streams, then a business interruption claim may be forthcoming. However, given some policies have waiting periods, such as eight hours, the incident recovery time will be crucial."
Meredith Schnur, U.S. & Canada cyber practice leader at Marsh agrees that cyber claims are likely, as well as claims against other lines. "Cyber insurance policies are the likely place for coverage to be triggered, including business interruption, contingent business interruption and E&O. Given the magnitude and scope of this outage, we may see consequences that affect product lines beyond cyber risk, most prominently directors & officers (D&O) and property/casualty (P&C)."
"Primarily blended cyber/tech E&O policies with dedicated system failure coverage will be impacted," says Jeffrey Batt, CUO and head of cyber for Pera, a cyber-focused MGA. "However, depending on how cyber incident triggers are interpreted given relevant policy language, it's possible that insurers will also see claims notices on dedicated cyber-only policies."
"CrowdStrike themselves might have E&O insurance that may be triggered based on the error that was evident in the released patch," adds Regan. "Currently, the severity of the overall damage/outage caused is unknown, but this is something that the insurance community will be reviewing going forward."
Other types of policies could come into play and provide some measure of coverage for entities. Loretta Worters, vice president of media relations at the Insurance Information Institute advises, "Some companies might have Network Downtime Insurance, a parametric solution to protect businesses from losses arising from network service providers such as Microsoft (which was also impacted). Network Downtime Insurance provides coverage for financial losses and other negative impacts following an unexpected interruption to a third-party supplier's network services. Downtime may be caused by power outages, natural disasters, equipment failure, or any other event that prevents a service from running normally. With parametric insurance, the cover is triggered when the insured's cloud is down for a period specified in the policy, usually with a time-based deductible, sometimes after an hour."
The outage also left businesses utilizing CrowdStrike's software vulnerable to cyberattacks. "This outage can cause major cyber incidents. If networks are down and needing reboots or businesses are receiving phishing emails from domains including CrowdStrike, individuals and businesses may be vulnerable and open to cyberattacks, malware, etc.," says Tony Abrudeanu, RPLU, vice president, executive lines practice leader for DOXA Insurance Programs. "For example, there are already many domains being purchased shortly after the outage referencing the name CrowdStrike. This is being used for phishing emails/attacks. This would trigger cyber policies."
Douglas Wells, director at Sedgwick, Forensic Accounting Services, provides some insight into how cyber coverage and some exclusions could be viewed. "While cyber policies typically cover malicious acts, many of them also include coverage for human error leading to IT infrastructure failure and events of that nature. Policies also commonly cover contingent business interruption to insureds where their service provider has been subject to a breach, human error or IT failure. This occupies a narrow lane that a primary cyber policy would respond to a first-party claim."
"Given this was not a reported cyberattack, coverage will likely depend on the wording of cyber policies to see how computer systems have been defined," explains Regan. "If any externally connected devices or networked environments are considered as part of the corporate network, this may represent a covered loss. However, if there is an exclusion stating all systems outside of the network are considered as third-party, any outage of those services may not be covered. In addition, the definition of 'Outsourced Service Provider' may also be relevant given how CrowdStrike is likely to have operated with their clients.
Alternatively, some insurance carriers may consider this type of incident as a 'system failure' event which is not covered under all policy forms that exist in the cyber insurance market."
Batt finds that "the intent of most dedicated cyber-only policies is to exclude cyber incidents and events that are not related to unauthorized data use or access. However, if some policies are not explicit around this definition or wording, despite the carrier's actual intent, it could be arguable that the scope of such coverage is broader and includes cover for system failure and IT-related outages."
The impact on the travel industry was apparent almost immediately, as more than 3,400 flights were canceled initially because of the outage, according to FlightAware, with Delta Airlines being one of the most affected carriers. Spirit, United and American flights were also canceled or extremely delayed.
As unhappy travelers missed or had to defer their vacations, airlines were overwhelmed as they tried to reticket or rebook customers. The value of travel insurance became much more apparent as weary travelers had to stay at or near airports, pay for extra meals or even buy clean clothes when their luggage was unavailable. "The Federal Government, including the Secretary of Transportation Pete Buttigieg, have directed travelers to the Airline Passengers' Bill of Rights," says Timothy Wirth, executive general adjuster at Sedgwick. "Those with travel insurance should explore their options and review the conditions and coverage of their policy."
Travel is still disrupted several days later and many of the claims related to the outage are just beginning. The next installment of this series will examine the opportunities for subrogating some of these claims, the legal implications for some of the parties involved, and what lessons can be learned for carriers and customers alike.
See more: