Industry stakeholders continue to try to get a grasp of the implications from last week’s massive technology outage affecting motley industries around the world, but the theme of policy language is reoccurring for a cyber insurance industry not known for standardization.
Broker Aon said the cyber incident is “likely to be the most important cyber accumulation loss event since NotPetya in 2017” but overall losses won’t be known until several variables inherent to the cyber insurance industry are understood.
Guy Carpenter said the network outage event will trigger broad coverage for business interruption and contingent business interruption within cyber insurance policies. The trigger includes system failure due to non-malicious acts, including human error, according to an initial analysis of the event released by the risk and reinsurance specialist.
“Critical for evaluating network interruption claims will be the policy waiting period for which the network must be impaired before the policy responds,” said Guy Carpenter. “Typical cyber waiting periods vary depending on industry class and organizational size, with 4-12 hours being most common.”
Aon said standard time deductibles range between 8-12 hours commonly but can be as low as 6 hours or as high as a full day.
An analysis by Aon of the policy wordings of several leading cyber insurers found “there are a range of approaches to offering coverage triggered by ‘system failure’ or ‘non-malicious’ events.”
“Some leading carriers offer this as part of their standard form, whereas others do not,” Aon said while adding it has noticed policy deviations are common—with additions for system-failure coverage on an endorsement, or with restrictions on coverage in certain industries of concern.
Guy Carpenter added that the scope of the outage could lead to claims in other insurance lines of business, such as directors and officers. The firm noted a stock drop for a publicly-traded company affected by the tech outage “may incentivize the plaintiffs’ bar to file a class action lawsuit,” but history has shown that securities class action litigation arising from tech incidents “have fared poorly.” Derivative lawsuits alleging a breaches of fiduciary duty could also pop up should companies struggle to recover to restore operations.
Furthermore, Guy Carpenter cautioned insurers of the potential property exposure from technology failures, especially if P/C policies do not explicitly exclude cyber. Other incidents over the years have highlighted “silent cyber” policy exposures, leading many within the industry to change policy wording, but insurers that have not addressed the issue with specific exclusions could face property or bodily-injury exposure.
“Cyber insurers should use this event to evaluate policyholder supply-chain dependencies, assess the potential for aggregation across commonly used technologies, and recalibrate risk tolerances accordingly,” Guy Carpenter said.
Reinsurer Acrisure Re in a bulletin said that while this most recent incident puts systemic failures into focus, insurers will not to come up with a plan to manage the exposure “without withdrawing coverage that is clearly crucial to buyers.
“In the short term, insurers should hold the line until the full picture becomes clear,” said Acrisure Re.
The widespread outage on July 19 was caused by an update pushed out by endpoint detection and response (EDR) provider CrowdStrike that crashed millions of Microsoft Windows devices. Microsoft in a blog said less than 1 percent of Windows machines were affected but the “broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services.”
A commentary from Moody’s noted that although the incident was not malicious, the automatic update deployed by the cybersecurity vendor resulted in an event that looked like a supply-chain attack. The incident affected industries such as airlines and hospitals that cannot afford downtime—and the recovery process in general could extend over days or weeks, Moody’s said.
Moody’s pointed out that, ironically, many cyber insurers require EDR when underwriting and enterprises using CrowdStrike are more likely to have a cyber insurance policy in place. However, the extent of coverage and policy terms will vary since terms and conditions throughout the industry “still vary widely.”
“Insurers will have to start the process of individually assessing each clients’ policy in turn to establish their exposure,” according to Damini Mago, assistant director, product management – cyber at Moody’s. “There remain unknown implications of this event to how the coverage is being triggered.”
Aon said the network outage event will bring to the light how coverage within original policies, reinsurance contracts, and catastrophe bonds will apply for incidents with widespread impact.
“This event will bring into focus: 1) the wording aspect of these products/covers e.g. ‘are non-malicious events covered?’ and 2) the threshold aspect: does the event “qualify” as an event of required magnitude and will the attachment points of cover be reached?” Aon said.
Rating agency Fitch said the incident—believed to wind up causing insured losses in the mid- to high-single-digit billion-dollar range—is not likely to have a material impact on insurers’ financial results. But it does highlight the growing risk of single points of failure (SPoF).
“SPoF risk has been modeled for cloud outages and popular software such as operating systems,” Fitch said. “However, it has not been well modeled or understood for industry-specific software such as CrowdStrike or more recently ChangeHealth.
“SPoF are likely to increase as companies seek consolidation to take advantage of scale and expertise, resulting in fewer vendors with higher market shares. Utilizing multiple, redundant vendors can help offset SPoF risks, but can also add increased complexity and costs that often are not feasible.”