CrowdStrike Outage: Policyholder Guidance and Insurance Implications
On Friday, July 19, 2024, at 04:09 UTC, cybersecurity vendor CrowdStrike released a single computer file buried in a defective software update, causing a global IT outage for customers running the update on any Microsoft Windows operating system version 7.11 and above. Numerous airports, banks, 911 services, hotels, trains, hospitals, restaurants, governments, and maybe even your own computer were taken offline and replaced by the so-called Blue Screen of Death. Microsoft has estimated that 8.5 million computer systems were impacted.
Coalition was not impacted by the outage. We are processing claims as they are received, and our security support and incident response teams are readily available to assist impacted customers. Remediation guidance was also directly provided to affected Coalition policyholders immediately following its availability and can be found on CrowdStrike’s remediation hub, together with a preliminary post-incident review detailing CrowdStrike’s investigation into the outage.
Understandably, this event has garnered international media attention and raised questions among Coalition policyholders and insurance partners about how cyber insurance — and Coalition, specifically — will respond. It also highlights the ongoing discussion about risk aggregation and how (or whether) the insurance industry can insure widespread events.
Guidance for policyholders
Is it covered? No doubt the question that is on everyone’s mind. The answer, of course, is nuanced based on what happened, to who, and under which policy. Let’s start with what “it” is. The CrowdStrike Outage resulted not only in business interruption to its customers running on Windows but also to non-customer organizations that experienced cascading contingent business interruption as a result of the downtime of CrowdStrike’s customers. In some cases, the impacted systems were hosted in local networks, and others, in third-party cloud providers. Finally, while many of the cascading business interruption events resulted from IT systems failures, some were also caused by broader non-IT supply chain failures (e.g., the massive interruption and cancellation of flights, medical procedures, and the like). What is covered and by which policy will depend on the specific facts and circumstances of the business interruption event, together with the specific policy wording of the policies in question. This is all to say that coverage may extend beyond cyber insurance depending on the circumstance.
For this post, we’ll focus on cyber insurance:
Directly impacted CrowdStrike customers: Most cyber insurance policies, including Coalition’s, offer coverage for certain business interruption events. Business interruption coverage is designed to cover lost income and the extra expenses incurred to recover from a partial or complete interruption of a policyholder’s computer systems. Extra expenses generally include things like employee overtime and necessary additional IT resources to aid in the recovery effort. In most cyber insurance policies, including Coalition’s, a business interruption event may be triggered either by a cyber security failure or a systems outage, as in this instance. Coverage is often subject to a waiting period, usually eight hours, after which coverage is granted. For many insurers, coverage is only provided beyond the waiting period up to the specified policy limit, although for Coalition, the waiting period is merely a trigger after which coverage is more broadly provided from the start of the outage. Importantly, coverage is generally limited to failures of the policyholder's own computer systems/network and not computer systems hosted by third parties. Fortunately, there is another coverage to address that scenario (read on).
Everyone else (including non-customers, indirectly impacted CrowdStrike customers, and/or impacted customers using CrowdStrike in third-party hosted environments): The subsequent outages experienced by many organizations as the direct result of the CrowdStrike snafu led to a broader cascading series of failures that impacted customers and non-customers of CrowdStrike alike, albeit indirectly. Many cyber insurance policies, including Coalition’s, also include coverage for these so-called contingent business interruption events that result from the failure of computer systems (including applications) hosted by contingent third parties such as cloud services and SaaS providers. In some cases, this coverage may extend even further to include systems outages of any third-party service provider, including non-IT suppliers. Whether you have this coverage, and the extent of what it covers, may limit your recovery, however, coverage might also be found on other insurance policies designed to cover business interruption events to the extent they don’t exclude cyber events.
Many cyber insurance policies contain limitations or exclusions that may limit coverage for particular types of system outages or widespread failures that could result in large systematic aggregation events that would otherwise threaten the insurance industry due to their unpredictability, high loss correlation, and significant financial impact. These limitations will need to be assessed based on the specific facts and circumstances of the incident and the policy wording.
For many insurers, coverage is only provided beyond the waiting period up to the specified policy limit, although for Coalition, the waiting period is merely a trigger after which coverage is more broadly provided from the start of the outage.
If you have questions about your specific circumstance, we recommend contacting one of our claims professionals or speaking with your insurance broker. And if you are a Coalition policyholder impacted by this event we recommend that you notify us as soon as possible. Our team is ready and available to provide guidance on and assist in the claims process.
Finally, we advise all policyholders to be mindful of phishing and social engineering attacks from cyber criminals posing as CrowdStrike or other security vendors offering assistance. CrowdStrike has warned of such malicious attempts and stated they will not make unsolicited outreach to customers.
Implications for the cyber insurance industry
The CrowdStrike outage is the third material supply chain outage of 2024, following the outages of Change Healthcare, impacting thousands of hospitals, pharmacies, and medical practitioners, and software vendor CDK, impacting thousands of car dealerships. The potential for a cyber attack or systems outage, such as these, raises concerns about the potential for further large systemic losses.
Still, despite the media hysteria and significant impact of these events, including the CrowdStrike outage, which has been called “the largest IT outage in human history,” we do not expect any to reach the levels of loss of natural catastrophe events that routinely impact the insurance industry. Our own modeling, leveraging our Active Cyber Risk Model, suggests a $0.96 billion industry-wide loss experienced by US cyber insurance policyholders at the upper bound prior to consideration of coverage limitations. Of course, any model of this event will also be highly sensitive to the least credible assumption (most likely, the share of impacted systems), which if reduced, would decrease our estimate to $0.27 billion (or lower).
In very small part, this is the result of impacted organizations being insured for amounts far lower than their actual financial losses, but also because the cyber insurance industry has the advantage of affirmatively covering cyber perils, including thoughtfully designing coverage to avoid large systemic risk aggregation. Cyber insurance cynics also routinely (and massively) underestimate the amount of technological diversification across organizations that limit the possibility for systemic loss, as well as the ability of organizations to quickly learn, react, and even cooperate with others to dramatically reduce the severity of losses. Attempts to analogize cyber catastrophes with natural catastrophes are profoundly misguided as a result. Case in point: the 8.5 million computers impacted in the CrowdStrike outage account for less than 1% of computers running Windows, according to Microsoft, and represent an even smaller fraction of the estimated 10 billion+ computer systems in operation globally. Many, although not all, organizations were able to recover within hours, if not days.
Our own modeling, leveraging our Active Cyber Risk Model, suggests a $0.96 billion industry-wide loss experienced by US cyber insurance policyholders at the upper bound prior to consideration of coverage limitations.
Cutting-edge cyber insurers like Coalition take advantage of massive data sets and analytical capabilities to more accurately model and assess common disaster scenarios. The model output is then used to determine how (and if) various scenarios can be covered and at what cost. The propagation of a defective software update from a commonly used software vendor has long been one such scenario used in our modeling. While many such failures, including this one, are unlikely to reach catastrophic levels, the failure of more ubiquitous software products very well could. This informs our approach and how we manage risk, with a goal to maximize coverage sustainably for our customers.
More broadly, across the cyber insurance marketplace, and particularly among those with lesser capabilities, we expect these concerns will more likely be addressed by changing and, in some cases restricting or excluding coverage. Some insurers have already introduced catastrophic or widespread loss sub-limits and exclusions that may limit or exclude coverage for specific cyber losses that impact a large number of organizations. Others are adding dependent or contingent business interruption sub-limits, exclusionary language that may apply to organizations that weren't direct targets (but suffer consequences of a supply chain cyberattack), or removing the coverage altogether, even if only temporarily.
Undoubtedly, this will continue to be a topic of great interest for (re)insurers, regulators, and the broader cybersecurity community as a mere fifteen companies worldwide account for 62% of the market for cybersecurity products and services. The fallout from this event illustrates the very real public policy tension that exists between the benefits of economies of scale and the risks associated with concentration. We also expect that impacted companies and their insurers will pursue indemnification from CrowdStrike, whose liability remains to be determined.
You can be sure that Coalition will continue to take a nuanced approach to these topics in our efforts to sustainably protect unprotected organizations from increasingly pervasive digital risks.
For more of our thoughts on cyber risk aggregation we encourage you to revisit our blog post from over six years ago on a vulnerability that affected over 2 billion computer systems. Again, for specific questions about your circumstance, please contact one of our claims professionals or speak with your insurance broker.
This communication is not a proposal of insurance. The descriptions contained herein are for preliminary informational purposes only. Exclusions and limitations apply and vary by state. Not all exclusions or limitations are referenced herein. Coverage is subject to and governed by the terms and conditions of the policy as actually issued. Please see a copy of your policy for the full terms and conditions. Coalition makes no representations regarding coverages, exclusions, or limitations in any insurance products offered on behalf of any insurer, nor any representations regarding the availability of coverage to address any risk of loss in the broader insurance marketplace.
Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc. (“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. Copyright © 2024. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.