Coverage for the CrowdStrike Incident under Cyber Insurance?
Jes Alexander | September 24, 2024
One of the biggest concerns regarding cyber insurance is a major cyber event that takes out a large portion of the Internet, impacting billions around the globe. The industry's focus has been on a malicious incident, like a nation-state hack. This fear is why most cyber insurers recently strengthened their war exclusions to avoid a "cyber cat" event.
Surprisingly, the most significant Internet outage in history was not caused by a malicious actor. Instead, a simple software update by a US cyber-security company, CrowdStrike, caused computers running Microsoft Windows to crash and display the "blue screen of death" across the globe. Ironically, the software patch was to the company's product that was designed "to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks—including malware and much more."
The mistake resulted in a global outage that impacted many significant businesses and billions in losses. Major insurers, airlines, hospitals, banks, media outlets, and other companies around the globe could no longer operate normally. One insurer estimated that Fortune 500 companies suffered 5.4 billion in damages alone. 1
The threat of litigation is already beginning. For example, Delta indicated that it would sue CrowdStrike and Microsoft for over $500 million in losses due to the outage. A major class action law firm plans to file a class action lawsuit for smaller companies impacted by the outage. 2
However, these lawsuits are likely to be an uphill battle. CrowdStrike's general terms and conditions contain a limitation of liability clause that states:
10. Limitation of Liability.
10.1 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, … NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY IN CONNECTION WITH THIS AGREEMENT OR THE SUBJECT MATTER HEREOF (UNDER ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STATUTE, TORT OR OTHERWISE) FOR ANY LOST PROFITS, REVENUE, OR SAVINGS, LOST BUSINESS OPPORTUNITIES, LOST DATA, OR SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES OR SUCH DAMAGES OR LOSSES WERE REASONABLY FORESEEABLE; OR (B) AN AMOUNT THAT EXCEEDS THE TOTAL FEES PAID OR PAYABLE TO CROWDSTRIKE FOR THE RELEVANT OFFERING DURING THAT OFFERING'S SUBSCRIPTION/ORDER TERM. THESE LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY SPECIFIED IN THIS AGREEMENT. MULTIPLE CLAIMS SHALL NOT EXPAND THE LIMITATIONS SPECIFIED IN THIS SECTION 10.
[Emphasis added.]
For companies bound by these terms, this clause will likely severely limit any recovery to the amount its customers paid for the service itself. Moreover, the clause states that CrowdStrike will not be liable for any of its customers' lost profits, revenue, or punitive damages.
CrowdStrike responded to Delta Airlines' $500 million demand by stating that the company's liability is capped at the "single-digit millions." 3 Its position is likely based on this (or a similar) limitation of liability clause found in the parties' agreement. It remains to be seen whether arguments that this contract clause is inapplicable are successful—much will depend on the contract language and the jurisdiction.
Given the total impact of the event and the legal hurdles companies face pursuing CrowdStrike, affected companies will likely turn to their cyber-insurance policies to cover these business income losses. Indeed, cyber insurers "are bracing for hundreds, if not thousands, of claim notifications from organizations that are impacted by the CrowdStrike event." 4
Nonetheless, cyber insurers are not expecting the worst in terms of payout from the event. Major cyber-insurer Beazley noted that it successfully coped with the CrowdStrike incident and expects profits to continue in the next few years. 5
Why are cyber insurers not overly concerned about the most significant Internet outage in history? Cyber forms are not uniform, and all have varying terms regarding the types of losses related to the CrowdStrike incident. Generally, policyholders must overcome multiple hurdles to recover under their cyber-insurance policy.
- Business interruption coverage is limited in some cyber forms to only malicious events, not negligent actions.
- Contingent business interruption coverage is likely required for any recovery, as standard business interruption coverage is frequently limited to outages to the insured's own network and computer systems.
- Business interruption coverage typically has a waiting period, and many companies were able to get back and running before the waiting period ended.
- The scope of recoverable damages varies between policies, which may make it more difficult for companies to recover all of their losses from the CrowdStrike event.
Contingent Business Interruption Coverage Covers Losses Caused by Third Parties Like CrowdStrike
Most cyber-insurance policies include some form of business interruption coverage. However, this coverage is typically limited to outages to the insured's network and computer systems; it does not cover outages of a third-party vendor, such as CrowdStrike.
Over the past few years, more cyber insurers have offered dependent or contingent business interruption coverage. Sometimes, this coverage is included in the base cyber-insurance form itself. Other times, it is provided as an enhancement via an endorsement.
Here is an example of contingent business interruption coverage included in the base form:
We will pay:
- business interruption loss;
- contingent business interruption loss; and
- extra expenses,
that you incur during the indemnity period directly resulting from the partial or complete interruption of computer systems for a period longer than the waiting period caused by a security failure or systems failure first discovered by you during the policy period.
Source: Coalition, Cyber Policy 3.0 (CYUSP-00PF-1022-01).
Based on this language, financial losses resulting from outages of a third-party computer system would likely trigger coverage.
Because CrowdStrike is a third-party vendor, policyholders seeking coverage for financial losses due to the outage will need to look closely at their cyber policy to determine whether it covers financial losses from outages caused by third-party vendors' systems. Without coverage for outages by third-party vendors, it is improbable that the policy will respond to the insured's losses.
Companies should negotiate higher limits for contingent business interruption coverage in the future to avoid loss from similar outage incidents. Also, deductible amounts for these coverages should be reviewed to ensure that the insured does not shoulder more of the loss than anticipated.
There are three more hurdles that policyholders must overcome in seeking cyber-insurance coverage for the CrowdStrike incident. Subscribers to Professional Liability Insurance (PLI) can read the full article to learn about these additional three hurdles and receive tips to maximize coverage (Vertafore Reference Connect subscribers can click here for the full article). If you are not a subscriber to PLI, click here to subscribe and get access now!
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes
