Businesses and other organisations are rightly focused on safeguarding against cyber crime. News headlines frequently highlight the consequences of data breaches, ransomware attacks and the exposure of sensitive information by cyber criminals. These incidents can result in significant losses and liabilities for organisations and their cyber insurers, as well as damaging reputations.
A typical example is the recent attack upon Lehigh Valley Health Network in the US, whose refusal to pay a ransom led to a data breach in February 2023 and the release of cancer patients’ sensitive medical information, including photographs. Unsurprisingly, a class action was filed on behalf of the affected patients, and a settlement has recently been agreed resulting in payments totalling USD65 million. More recently, in August 2024, Microsoft systems in New Zealand including Outlook and Teams faced disruptions and were unable to operate due to a distributed denial-of-service or DDoS cyberattack. While cyber crimes such as these make headlines, IT systems are also susceptible to less dramatic but sometimes equally damaging failures that do not involve any criminal intent. Like cyber attacks, these failures can have significant effects, in some cases resulting in a total halt of business operations.
However, whilst businesses may have safeguarded against the fallout of cyber crime, they may find themselves unexpectedly uninsured for non-malicious cyber failures. Understanding these risks and how best to comprehensively protect – and insure – against them is vital for businesses that rely on technology to function.
The CrowdStrike failure
One of the largest IT outages in history was caused by an innocent cyber failure. On 19 July 2024, the global cybersecurity company CrowdStrike released a faulty software update. The update, intended to enhance security, instead caused widespread IT system outages by rendering approximately 8.5 million devices running Microsoft software unusable.
The problem stemmed from a compatibility issue between CrowdStrike’s update and the Microsoft operating system. Although a fix was quickly provided, the effect of the fault was to render computers unavailable, so the fix typically required IT professionals to intervene. This prolonged the resulting downtime for many companies. Although the issue affected only about 1% of Microsoft customers, the impact was severe because many of those affected were critical service providers. Banks lost access to payment systems, airlines were forced to ground flights, and hospitals had to revert to manual processes, which caused flowon losses to many other businesses and organisations.
Risks and losses
When systems fail, businesses suffer losses in many ways. Production of goods or services may be reduced or brought to a halt. Without the ability to process payments or deliver services, businesses miss out on potential sales. Remedying system failures often requires the IT specialists or additional resources to restore systems. Extended downtime may mean further loss of revenue or overtime pay for employees working to restore systems and clear backlogs.
There may also be additional losses from liabilities to third parties. System failures may have legal consequences, such as claims for breach of contract from customers whose goods or services are not delivered and who in turn suffer loss. One example of this is that Delta Airlines is reportedly seeking to recover losses from CrowdStrike in the vicinity of USD550 million. An affected business may also lose custom because of damage to its reputation, as customers see the issue as a sign of unreliability, resulting in reputational damage, market share erosion and long-term loss of business.
There may also be shareholder claims against an affected company and possibly its directors. CrowdStrike’s shareholders have reportedly launched a class action alleging misleading statements about its software testing.
Insurance response
The resulting business losses from the CrowdStrike outage have been estimated to cost US Fortune 500 companies around USD5.4 billion. However, the insured losses will likely be around only 10% to 20% of that figure. One reason for is that the non-malicious nature of the attack typically reduces or limits the standard cyber insurance coverage.
Insurance policies that may provide coverage in the event of an IT outage, and that should be reviewed to ensure adequate coverage is in place, are as follows:
1. Cyber insurance
Cyber insurance typically covers losses resulting from malicious cyberattacks. Importantly, many New Zealand cyber insurance policies do not extend coverage to losses resulting from non-malicious outages or actions by authorised users. Even if there is some cover, it may be limited to direct losses such as the cost of data recovery and system restoration, but exclude consequential losses, lost profits or reputational damage. Depending on the cause and consequences, businesses may find themselves unprotected for losses resulting from an infrastructure or software failure.
2. Fidelity / crime insurance
Fidelity or crime insurance protects businesses from losses due to dishonest acts such as fraud or theft, including, under some policies, cyber crime perpetrated by employees or third parties. Again, however, it typically does not cover losses caused by non-malicious cyber failures.
3. Business interruption insurance
Traditionally, this coverage applies to revenue loss arising from events causing physical damage such as from a fire or natural disaster. Whilst software-related issues are typically excluded, other than in dedicated cyber insurance, some policies are able to be expanded to cover losses due to cyber failures. However, many of these policies have “deferment periods,” meaning coverage for loss only applies after a specified period of downtime.
4. Professional indemnity insurance
This type of insurance covers the legal and financial consequences of a failure to deliver services due to an outage, or a data breach. Businesses should ensure that their professional indemnity insurance includes cover for cyber failures to an appropriate level of cover.
5. Statutory liability insurance
While this type of insurance does not directly cover operational or financial losses from cyber failures, it can be relevant if a business is found to have breached specific regulatory obligations such as privacy laws as a result of system downtime or data loss. Statutory liability insurance can help cover legal costs and penalties associated with a breach.
6. Technology liability insurance (including errors and omissions)
For companies in the technology sector, this insurance typically covers financial losses caused by errors in software or technology services. In cases like the CrowdStrike update failure, this type of policy would likely be triggered, providing coverage for the financial impact of the defective software. However, the CrowdStrike event illustrates the special risk that providers of software services face when they release a software update to large numbers of customers, in effect multiplying the potential liability.
Key considerations for insurers and their customers
Businesses and their brokers and insurers should ensure that they understand the scope of their coverage for non-malicious cyber events and be aware of any limitations. They should consider whether their policies cover losses resulting from non-malicious cyber failures such as software defects or infrastructure downtime. It is also important to review policy triggers, excesses or limits, deferment periods, and any exclusions related to third-party service providers or software issues.
Companies should also consider whether the most relevant policies provide sufficient cover for the range of possible losses. Insurers may in time consider whether cyber policies should extend cover to non-malicious cyber events.
Preventing and mitigating future risk
Insurers expect businesses to take proactive measures to reduce their exposure to cyber failures. This includes implementing robust backup systems, testing updates before deployment, updating systems where required, and having a clear incident response plan. Businesses should ensure they comply with any such requirements. The following are some key strategies to ensure that businesses who heavily rely on technology can mitigate the risk of system downtime:
1. System testing and phased rollouts
Businesses should ensure that updates and changes to critical systems are rigorously tested before they are widely deployed. Phased rollouts can also help prevent widespread disruption in the event of a failure.
2. Back-up plan and incident response plan
Businesses should maintain robust data backup systems. They should ensure they have alternative methods for key operations, such as communication and payment processing, in the event of an outage, and should ensure they have plans in place for technical troubleshooting and legal and insurance notifications.
3. Supplier resilience
Businesses should evaluate the resilience of their key suppliers and ensure that service agreements include provisions for system failures, including remedies and compensation.
4. Insurance reviews
Regularly reviewing insurance policies is essential to ensure that coverage aligns with a business’s evolving risk profile. Working with an insurance broker can help businesses assess gaps in coverage and make necessary adjustments.
5. Contract reviews
Review the terms and conditions of the contract held with the relevant technology provider. Understanding any relevant contractual limitations (such as limitation of liability) is crucial to assessing risk exposure and the ability to recover losses from the provider.
Concluding remarks
The recent CrowdStrike outage highlights that, whilst businesses may be well prepared for – and insured for – cyber crime, they must also be prepared for the less glamorous but equally damaging risk of non-malicious system failures. With the right insurance coverage, proactive risk management and comprehensive recovery plans, businesses can protect themselves from the financial and operational impacts of these unexpected events.
The outage also highlights the risk to IT service providers who are in the business of providing software updates to large numbers of customers. While the potential loss to each customer may be small, many small claims can add up to very significant liabilities, as CrowdStrike is discovering.