CrowdStrike Event: A Wake Up Call for the Insurance Industry?

5 September 2024 alastair walker Opinion 0

Some thoughts on the lessons we can learn from the CrowdStrike outage, by Hermes Marangos, Partner and Insurance lawyer at Signature Litigation.

The IT outage which caused 8.5 million systems running Microsoft Windows to crash earlier this summer is indicative of a looming issue with enormous implications for the insurance industry. In causing devastating losses for individuals and organisations around the world, the crash provided a red-alert trigger warning.

As companies react to the 19 July outage, it seems clear that it is always better to anticipate and analyse such significant events, rather than ex-post facto trying to reinvent public and private international law.

Immediately after the outage, crucial infrastructure ground to a halt. Hospitals and transport services were unable to properly function in many instances. It was caused by a faulty update from cybersecurity company CrowdStrike’s Falcon product. The impact of the CrowdStrike cyber event made it the most serious since NotPetya in 2022, not least for the insurance industry.

Insured losses from the CrowdStrike incident are estimated at between $1.5 billion and $10 billion. Actual losses, which may be far greater, and the absence of cover for many of them, point to valuable lessons that should be heeded by risk management teams worldwide, lessons which should be acted upon without hesitation.

Being able to foresee what might happen will be essential in determining liability for future IT outage events. With regard to CrowdStrike, it must have been known by many individuals that this software concerned interconnected and dependent companies worldwide, which would be impacted by the failure. It should have been clear a bug was a likely probability, and that it would have a high impact on business operations. Given this knowledge, vendors should be expected to have adequate procedures for updating software, covering how the update is developed, tested, troubleshooted, and pushed to production systems.

In the fast-moving world of cybersecurity updates, in which those trying to keep out the hackers by issuing updates are locked in a never-ending game of cops and robbers, there is understandable debate about how to create reasonable tests for their products. IT industry commentators, in explaining the potential vulnerability in the systems, refer to the fact that such updates may have to be launched multiple times per day. To add further complicating factors, other interdependent systems are also potentially being updated multiple times per day and devices can receive updates in a different order or timescale.

While the debate between AI experts on how safe test environments can be “in the real” world continue, in the real world, one has to deal with these updates going wrong and expect third and fourth-party exposure and potential supply chain fallout. From a lawyer’s or underwriter’s perspective, this “guinea pig” approach to technology is a nightmare scenario for class and other legal actions and systemic underwriting problems.

The determination of whether the cause of a cybersecurity outage is human error or defective technology could affect an array of insurances including property (P&C and silent cyber included), BI/CBI, professional liability, D&O (especially drop in stock value that is sustained) and product liability. The trigger for such coverage typically includes system failure resulting from non-malicious acts, including human error.  However, there is no standard cyber policy language.

Technologies with large market shares create potential single points of failure that can lead to systemic events yielding claims from a very large number of claimants at once. A small cog can bring global IT infrastructure to a halt, raising issues of insurability which cannot be ignored.

Whatever the arguments, this single point failure – and extraordinarily wide impact – and its possibility to cause catastrophic cumulative losses cannot be dismissed. Once again from a legal perspective, questions arise as to whether the risks of a single point of failure for a complex, global information technology supply chain have been adequately assessed.

Previously, the insurance industry has had to deal with so-called “black swan” events that were known as High Impact Low Probability (HILP) events. Today, however, if events like CrowdStrike are becoming predictable, higher impact with higher probability adds to the systemic problem already facing insurers. It can be argued that these are no longer HILP events, the result of which is that failing to take steps to prevent predictable events may lead to an array of legal consequences.

It is natural that insurance companies are in competition for a piece of this rapidly growing market. The industry should, however, take the opportunity to soberly consider the ever-increasing scenarios of catastrophic losses as it becomes increasingly exposed to even more cybersecurity risks.

Notably, CrowdStrike’s meltdown does not seem to have affected its own market dominance and revenue. Recently published figures for Q2 of its current financial year are better than expected, with revenue growth of 32% to just under $964 million. Plainly, it is CrowdStrike’s users who are more likely to be financially impacted than the cybersecurity provider itself.

One of the primary questions arising from Crowdstrike is that if Microsoft’s system had the ability to reject the faulty update, why did it not do so? There is talk in the IT industry that more thorough testing of security updates and staggering of update releases to smaller groups or upgrade ‘rings’ could have averted the disaster. From a legal perspective, it is hard to ignore the fact that it all looks too predictable, especially considering how many years now there have been discussions of the dreaded “blue screens”.

The above may explain Warren Buffet’s prediction and warning of the risks of issuing cybersecurity insurance and aggregation of risks earlier this year. In a speech, he noted that the risks multiply the more such policies you write, and that even with a $1 million limit per policy, if a single event impacts 1,000 policies, “you’ve written something that in no way we’re getting the proper price for and could break the company.” Within a brief timeframe, the scale of losses caused by the CrowdStrike event have exemplified Buffet’s concerns.

Hermès Marangos, Partner, Signature Litigation

About alastair walker 19421 Articles
20 years experience as a journalist and magazine editor. I'm your contact for press releases, events, news and commercial opportunities at Insurance-Edge.Net
Twitter

Related Articles

UK Insurance Trends

Purbeck Survey Reveals Uphill Battle on Business Finance

18 September 2024 alastair walker UK Insurance Trends 0

The latest from Purbeck on the struggle SMEs have to obtain business finance; As lenders face new responsibilities to ensure business customers are clear about the risks of personal guarantees, a survey by Purbeck Personal Guarantee Insurance […]

Insurance Brokers

Deals: Clear Group Buys GI Book From PW White & Partners

4 December 2023 alastair walker Insurance Brokers 0

Latest acquisition news from Clear Group; Leading independent broker, the Clear Group today announces that it has acquired the entire general insurance book of regional broker P W White & Partners Limited. The deal does […]

InsureTech

Neutrinos Hits Compliance Milestone

9 January 2025 alastair walker InsureTech 0

It’s another milestone for Neutrinos, here’s the word; Neutrinos, a leading technology company that powers intelligent automation for enterprises, has announced it has successfully achieved System and Organization Controls (SOC) 2 Compliance Type II. This […]

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.