Over the last week, organizations around the globe have struggled to bring operations back online following a botched software update from cybersecurity company CrowdStrike. As the dust settles, affected organizations should consider whether they are insured against losses or claims arising from the outage. The Wall Street Journal has already reported that insurers are bracing for claims arising from the outage and that according to one cyber insurance broker “[t]he insurance world was expecting to cover situations like this.” A cyber analytics firm has estimated that insured losses following the outage could reach $1.5 billion.
Your cyber insurance policy may cover losses resulting from the CrowdStrike outage. These policies often include “business interruption” or “contingent business interruption” insurance that protects against disruptions from a covered loss. Business interruption insurance covers losses from disruptions to your own operations. This insurance may cover losses if the outage affected your own computer systems. Contingent business interruption insurance, on the other hand, covers your losses when another entity’s operations are disrupted. This coverage could apply if the outage affected a supplier or cloud service provider that your organization relies on.
Cyber policies often vary in the precise risks they cover. Evaluating potential coverage requires comparing your losses to the policy’s coverage. Cyber policies also include limitations and exclusions on coverage. For example, many cyber policies contain a “waiting period” that requires affected systems to be disrupted for a certain period before the policy provides coverage. These waiting periods can be as short as one hour or as long as several days.
Other commercial insurance policies could also provide coverage depending on the loss or claim and the policy endorsements and exclusions. For example, your organization may have procured liability insurance that protects against third-party claims or litigation. This insurance could protect you from claims made by customers or other businesses related to the outage.
If your operations have been impacted by the CrowdStrike outage, there are a few steps you can take now to maximize your potential insurance recovery.
First, read your policies to determine the available coverage. As you review your policies, pay careful attention to policy limits, endorsements, and exclusions. A policy endorsement may significantly expand policy coverage, even though it is located long after the relevant policy section. Keep in mind that courts generally interpret coverage provisions in a policy generously in favor of an insured and interpret exclusions or limitations narrowly against an insurance company.
Second, track your losses. The outage likely cost your organization lost profits or extra expenses. Common business interruption losses may also include overtime expenses to remedy the outage, expenses to hire third-party consultants or technicians, and penalties arising from the outage’s disruption to your operations. Whatever the nature of your loss, tracking and documenting your loss now will help you secure a full insurance recovery later.
Third, carefully review and comply with your policy’s notice requirements. If you have experienced a loss or a claim, you should immediately notify your insurer. Even if you are only aware of a potential claim, your policy may require you to provide notice to your insurer of the events that could ultimately lead to a claim or loss. Some notice requirements in cyber policies can be quite short. After providing notice, you may receive a coverage response or “reservation of rights” from your insurer. Be cautious in taking any unfavorable response at face value. Particularly in cases of widespread loss, an insurer’s initial coverage evaluation may not accurately reflect the available coverage.
If you are unsure of your policy’s notice obligations or available coverage, or if you suspect your insurer is not affording your organization the coverage that you purchased, coverage counsel can assist your organization in securing coverage. Above all, don’t hesitate to secure the coverage to which you are entitled.