On Friday, July 19, 2024, a faulty update from the leading cybersecurity firm, CrowdStrike, caused a global tech outage, highlighting the importance of insurance on both sides of a contract. The faulty update caused widespread crashes of Microsoft Windows systems, leading to significant disruption across various sectors.
Even though CrowdStrike only made one error, they rolled that error out to more than 6 thousand businesses and 8.5 million computers across all industry sectors. Their Tech E&O coverage will need to have sufficient limits to respond to all claims they face as a result and it’s likely their insurer will find that this is a single incident, and any resulting claims are “Related Wrongful Acts”. With proper contract management, CrowdStrike may have capped their losses at fees paid, but even if their customers settle for that amount, those costs will aggregate quickly. For this reason, we commonly see contracts requiring high limits for Tech E&O, even from Tech companies that are too small to support that premium.
CrowdStrike has emphasized that this was an error, not a cyber security incident, which brings us to the client side of the equation. CrowdStrike’s clients will discover that property policy Business interruption will not respond to this incident. Cyber Insurance might, so long as they have the right placement. Policies with Dependent (or Contingent) Business Interruption that includes System Failure as a trigger may well respond. Dependent BI has become a somewhat standard insuring agreement on Cyber Policies but might have restrictive definitions on what vendors qualify, maybe a lower sub-limit than the aggregate, or may not include System Failure. System Failure coverage provides for a Business Interruption response when the disruption is due to a tech error rather than a cyber security incident. Cyber endorsements on a GL policy will probably be a low limit of liability only and will not have any of these additional insurance agreements.
The recent CDK incident that caused Dependent Business Interruption for auto dealers across the US is estimated to have caused $1B in losses overall, and that was limited to one industry. The CrowdStrike event will take time to develop but will certainly lead to record-setting losses.
Key industries impacted included:
Any insureds who are not currently carrying cyber insurance might want to pursue quotes now as these aggregated losses could push insurance premiums higher by the end of 2024.
This article is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.