The global IT outage that brought key industries to a standstill worldwide on July 19 is likely to generate large claims bills for the cyber insurance industry and prompt a coverage rethink.

Tens of thousands of companies awoke on Friday to find computers and servers running Microsoft Corp.'s Windows operating system inoperable because of a faulty update to cybersecurity vendor CrowdStrike Holdings Inc.'s Falcon product. The bug caused major disruptions to critical industries, including banking, and airlines struggled to operate.

While cover for an event triggered by an error rather than a malicious cyberattack is not universal in cyber insurance policies, it is widely available, according to Ryan Griffin, partner in insurance broker McGill and Partners Group Ltd.'s US financial lines and special risk team.

"I would say the majority of buyers of cyber insurance are going to have some element of this coverage in place," Griffin said in an interview.

While the outage was not a catastrophic event for the cyber insurance industry, according to Griffin, it still stands to be a "material event that causes a real reevaluation of the scope of coverage being provided."

Because of the complexity of assessing business interruption claims, determining the full impact of the outage will take some time, said Jonathan Hatzor, co-founder and CEO of cloud outage risk modeler and underwriting agency Parametrix Solutions Inc. But once those tallies are added up, Hatzor said cyber insurers will be facing a "big loss."

Rethinking coverage

CrowdStrike has an estimated 20% market share in the cybersecurity space and works with half of all Fortune 500 companies, reinsurance broker Acrisure Re said in a bulletin. However, the effect cascaded beyond direct users.

Cyberrisk analytics firm CyberCube Analytics Inc. said CrowdStrike's customer base includes many companies that it classifies as single points of failure, meaning customers of those companies may become secondary victims. Managed security service providers deploy CrowdStrike Falcon on the networks of other organizations they oversee. The number of companies that rely on a business that uses CrowdStrike in conjunction with Microsoft "is estimated to be in the millions."

In the US, large companies in manufacturing, IT, healthcare and financial services are the most likely to be exposed, CyberCube said. Insurers have outsize exposure to the aviation, banking and retail sectors, according to an examination of exposed limits.

Insurers are expecting a "wave of notifications" in the coming days, and losses are likely to be seen under business interruption and dependent business interruption insuring clauses, Acrisure Re said in its bulletin. Insurers may also suffer "bricking losses" if the manual restarts required to clear the issue are not universally successful or if downtime results in larger business interruption losses than it would cost to replace a device, the broker added.

Where business interruption cover for nonmalicious errors is present in cyber policies, insurers included it as a "throw-in" to offer broader coverage without a material increase in the price, McGill's Griffin said.

"If there is demand from clients to insure this exposure or wanting to maintain insurance for this exposure going forward, the insurance companies will certainly look to charge for it, and importantly, underwrite it," Griffin said.

Thanks to improvements in modeling, the industry understands the aggregate exposures that can arise from such an event, Griffin said, but the question is whether they contemplated a human error rather than a cyberattack as the cause.

The CrowdStrike event will not be covered by every policy. Parametrix offers insurance for cloud outages with a parametric trigger, which means the cover pays out automatically when certain conditions are met. Because this was an outage at a cybersecurity service provider, Parametrix's coverage will not be triggered, Hatzor said. Parametrix is working on coverage that would encompass service providers in addition to the cloud providers themselves, he added.

Hannover Re's cloud outage catastrophe bond, Cumulus Re, which Parametrix provided with data modeling and analysis, pays out if the delivery of specific cloud services in certain US cloud regions is interrupted for more than a specified period.

Wake-up call

A disruption of eight to 12 hours is typically required to trigger coverage under typical cyber policies.

"From an insurance standpoint, it's going to be weeks or months before we understand the wide-scale impact," McGill's Griffin said.

Parametrix's Hatzor noted that insurers are only now starting to see claims from UnitedHealth Group Inc. subsidiary Change Healthcare Inc.'s ransomware attack in February, which caused widespread disruption in the US healthcare industry.

"[Business interruption] claims are pretty complex," Hatzor said. "It's pretty hard to prove financial loss and it takes time to really see if you manage to recover or not."

No matter if the CrowdStrike outage triggers a catastrophic loss for the cyber insurance industry or not, it will serve as another reminder that problems at single service providers can trigger many simultaneous claims.

The CrowdStrike outage is the fifth example in the past four months of a service provider event affecting tens of thousands of its customers.

"This is a huge wake-up call for how we're building our models, how we're managing accumulation, which questions we need to get answers [to] from companies and really understanding the systemic risk in the digital world," Hatzor said.