On Friday July 19th, 2024, a file update issued by CrowdStrike caused Microsoft Azure systems to crash and left businesses around the globe with the infamous Blue Screen of Death. Within a period of 90 minutes, CrowdStrike engineering identified a content deployment related to this issue and reverted those changes. Mac and Linux users remain unaffected. CrowdStrike has confirmed that this was not a malicious cyberattack, but a software update failure that requires a manual reboot for affected endpoints.

ECONOMIC IMPACTS

CrowdStrike has nearly 30,000 subscribers worldwide, and industry sectors all across the board have been impacted.6 However, the most commonly affected industries appear to be healthcare, financial services, aviation, technology companies, media outlets, and manufacturers. Even nearly a week post-outage, airports were still over-crowded and flight cancellations continued. Because the update was issued in the middle of the night in the U.S., it is highly possible that the Eastern hemisphere is more highly impacted from an operational perspective in comparison to many U.S. companies.

CrowdStrike shares fell dramatically following the outage.^1,3 It will likely take time for CrowdStrike to repair its image, and the fallout will probably impede new customer signings, an early indicator of contract value from new and existing customers that can provide investors with an idea of a company’s potential for revenue generation.¹

POTENTIAL CYBER & OTHER INSURANCE IMPACTS

The CrowdStrike outage has sent shockwaves through the cybersecurity and insurance industries, highlighting the critical vulnerabilities even leading cybersecurity firms face as well as the significant impact of single points of failure. This unprecedented event disrupted services for thousands of businesses, revealing the potential for widespread operational paralysis. As the dust begins to settle, insurance professionals are left to assess the implications of such a significant failure. Some suggest the insurance coverages most affected include business interruption, contingent business interruption, and network restoration within cyber coverage. In addition, smaller lines such as event cancellation, travel insurance, and technology errors and omissions will also be impacted.⁴ There is also potential for Directors & Officers (D&O) insurance implications. Generally, a 10% intraday stock drop for a publicly traded company may compel the plaintiffs’ bar to file a class action lawsuit. Subsequent share price volatility and any ultimate settlement or recovery could also impact the likelihood of litigation.

Historically, securities class actions based on technology incidents have had little success. But in addition to securities class actions, firms that are involved in, or impacted by, the mass outage may have greater exposure if they have difficulty restoring operations. They could also become the target of shareholder derivative suits alleging a breach of fiduciary duty by the board.⁵ Additionally, the U.S. Department of Transportation has already opened investigations into some airlines for how they have managed this incident.

Considering the ongoing integration of IT and operational technology, insurers must also consider the physical consequences that can arise from technology failures. Any exposure for property & casualty policies will rely on how insurers address cyber as a peril or if cyber coverage could exist by virtue of neither affirmative nor exclusionary language also known as “silent cyber.”

With cyber insurance claims particularly likely to surge and policy terms under scrutiny, the outage underscores the necessity for robust cyber risk management strategies and may signal a pivotal shift in how cyber insurance policies are structured and priced moving forward. Potential cyber impacts, include:

• Business Interruption
• Dependent Business Interruption
• Bricking
• 3rd Party Liability
• Reputational Harm
• Reinsurance
• Immediate New Underwriting Requirements
• Future Coverage Restrictions

It’s anticipated that Microsoft and CrowdStrike clients will file claims for business interruption losses as a result of their outages. The application of coverage will be dependent on the waiting period within clients’ cyber policies as well as the coverage trigger negotiated within the wording (i.e. security failure vs. systems failure).

Similarly, clients of firms that use Microsoft and CrowdStrike could also file claims for dependent business interruption losses as a result of their outages, and coverage will be dependent on the same criteria – the cyber policy waiting period and the coverage trigger negotiated within the wording (i.e. security failure vs. systems failure).

Because business interruption coverage will require detailed proofs of loss, it is recommended that policy holders carefully track expenses related to this outage. While it’s too early to tell exactly what this will mean for coverage, rates, or reinsurance negotiations, the incident is viewed as the largest systemic IT outage to date and impacts will begin to materialize in the coming weeks and months.

RESOURCES FOR COMPANIES STILL IMPACTED

CrowdStrike provided a fix to the issue on July 19th. Companies should follow the Tech Alerts provided by CrowdStrike for updates in real time and beware of phishing attempts by cyber criminals impersonating CrowdStrike customer service in attempt to exploit victims.

CrowdStrike also published a video outlining the steps required to self-remediate affected remote Windows laptops. Customers are advised to check the support portal for updates as CrowdStrike will continue to provide the latest information there and on the company’s blog. Organizations should also verify that they are communicating with CrowdStrike representatives through official channels.

The CrowdStrike Remediation and Guidance Hub: Falcon Content Update for Windows Hosts provides additional helpful information including the CrowdStrike CEO Statement, Technical Details, and FAQ.

Similar future risks can also be mitigated through the purchase of downtime insurance. The coverage pays for a predetermined amount per hour starting at hour 1, rather than hour 12 irrespective of the actual financial loss. This coverage extends to SLA liabilities and provides financial reimbursement to prevent customer loss.

BOTTOM LINE

Team CRC continues to monitor the CrowdStrike scenario as well as the potential impacts. Cyber security incidents like the CrowdStrike outage illustrate the fragility of the digital world and global economy. One moment, all is well, but the next your company could face serious operational and security concerns. Businesses with inadequate safety nets can end up losing substantial revenue while struggling to maintain operations. Don’t let unforeseen digital disruptions impact your client’s bottom line. Reach out to your CRC / INSUREtrust producer today for assistance safeguarding your clients against the unexpected.

CONTRIBUTOR

• Christiaan Durdaller is the CRC / INSUREtrust Cyber Practice Group Leader.
• Mike Robison is a Senior Vice President and Senior Broker as well as CRC Group’s ExecPro Practice Group Leader.

END NOTES

1. CrowdStrike shares tumble as fallout from global tech outage continues, CNBC, July 22, 2024. 
2. What’s happening with Delta Air Lines? Cancellations continue 4 days after CrowdStrike outage, Fast Company, July 23, 2024.
3. CrowdStrike’s stock stems its bleeding, but even the bulls see some risk, MarketWatch, July 23, 2024. 
4. CrowdStrike incident unlikely to materially impact re/insurers – Fitch Ratings, IBA, July 23, 2024. 
5. CrowdStrike event may impact product lines beyond cyber insurance: Guy Carpenter, Reinsurance News, July 22, 2024. 
6. CrowdStrike Has $19 Billion Week of Reckoning. More Pain Lies Ahead.=, Barron’s, July 24, 2024.