Cyber liability insurance losses are often associated with hacking and ransomware attacks, but a systems failure last month caused by a faulty update from cybersecurity software provider CrowdStrike Inc demonstrated the potential for losses to be caused by non-malicious acts, experts say.
He says cyber insurance buyers should review their policies, particularly the terminology related to business interruption, to ensure they are adequately covered.
In a post-incident review, Austin, Texas-based CrowdStrike said on July 19 it had released an update to the Windows sensors used in its systems.
“These updates are a routine part of the Falcon platform’s dynamic security mechanisms. The problematic Rapid Response Content Configuration update resulted in a Windows system crash,” the company said.
The software failure affected many industries, including transportation and manufacturing companies, which shut down operations. As the number of loss notices continues to rise, insureds are also suffering losses. loss estimate has reached above $1 billion.
The incident offers lessons for the risk management community, ranging from coverage issues to response planning, sources said.
Cyber policies often include coverage for non-malicious acts and such coverage is widely available, though policyholders should be sure of the contract language and limitations, said Alan Blount, national cyber practice leader at New York-based Risk Strategies Company.
“Sometimes coverage is overlooked,” Mr. Blount said. He added that in addition to explicitly covering non-malicious acts such as system failure, policyholders should also check whether their full limits apply to the risk, as some insurers may reduce such coverage.
Business interruption claims related to the CrowdStrike incident could prove complex and lengthy, sources said.
Meredith Schur, U.S. and Canada cyber practice leader at New York-based Marsh LLC, said the most common question she gets is, “Does cyber insurance cover an incident like this,” adding that loss notices continue to be issued by policyholders.
Because the commercial cyber insurance market varies widely across different formats, policyholders may encounter different accounting methods for losses under business interruption coverage.
“You can pick out five different policies and read business interruption or contingent business interruption coverage in all of them, and they’ll all look different,” Ms. Schnurr said. Policyholders should “understand the extent of that coverage and how it varies.”
“We are starting to get a sense of the impact of this incident, but I think it will take longer, more than a few weeks, to know the extent of the losses,” said Rory Egan, London-based head of cyber analytics at Aon PLC’s reinsurance solutions division.
One factor affecting the size of the total insured loss among companies that purchase system failure coverage is the applicable waiting period.
“Can they start counting from the fourth hour of disruption, the 12th hour or the 24th hour? That will be a little bit determinant of where we end up in terms of lost volume at a market level,” Mr Egan said.
Brian Gillin, Aon’s New York-based managing director-east region leader, said some policyholders may have started refinancing before the time limits on their policies had expired.
Coverage for non-malicious acts is “generally included” in most larger, more sophisticated commercial cyber insurance programs, he said, but it is not universal.
“As more data comes out about how big the losses were for certain companies, that will cause other companies to reevaluate what they’re currently buying and possibly buy more,” Mr Gillin said.
Every company, no matter the reason, should have a business continuity plan that focuses on what’s needed to get the business back up and running, said Elizabeth D. Case, Chicago-based global product manager, cyber, at Liberty Mutual Insurance Co. She said practicing and rehearsing for the program should be part of the approach.
In the event of a malicious attack, data could be encrypted, ransomware could be demanded, and data could be stolen, potentially triggering multiple parts of the policy and requiring different recovery experts to address the different risks posed by the incident, Ms. Case said.
In the case of a system failure like CrowdStrike’s, “it’s just a matter of restoring the network, operations, and getting it back up and running,” he said.