The news about the CrowdStrike and Microsoft vulnerabilities didn’t take long to make its way around the world. Most professionals felt the effects immediately when attempting to log in to their systems, with 8.5MM endpoints disabled with the “blue screen of death.” This disruption to businesses came in the form of canceled or delayed flights, disabled ATMs, amusement park riders stuck on rollercoasters, and – gleefully for some – unexpected days off of work.
What caused this outage?
CrowdStrike is a global IT security company providing endpoint detection and response (EDR) services. Their product, Falcon, uses artificial intelligence algorithms to detect suspicious activity and prevent threats in real time. CrowdStrike deployed a routine update with cybersecurity enhancements, which led to the Microsoft Windows crash. The outage impacted Microsoft 365, Azure, and Amazon Web Services – three prominent cloud service providers.
Is CrowdStrike still the right EDR tool?
CrowdStrike has been considered a top provider of EDR services for many years, with some insurers providing incentives for the utilization of CrowdStrike’s tools. The incident that happened on July 19, 2024 was an administrative error and not as a result of a vulnerability within the tool itself. Only you can determine what tool is right for you and your business, but we anticipate the insurance industry’s continued reliance on this tool.
How can the vulnerability be fixed?
CrowdStrike has published information about the remediation on their website. It can be found here.
How does insurance fit in the picture?
Cyber insurance policies contemplate lost revenues in the first-party coverages of the policy. Certain cyber insurance policies may cover lost revenue stemming from system failure as a result administrative updates and other non-incident triggers in the following ways:.
- System Failure: Contingent system failure provides additional breadth in coverage by reimbursing lost revenues in the event of those updates, but when those updates are made or initiated by a third-party provider, this may be subject to a waiting period like other business interruption coverages, creating a limited number of hours (typically 4-24 hours) where the insured will retain the lost revenues. Some policies will provide formulations about how lost revenues will be calculated. Depending upon the circumstances of your incident, other coverages may also apply.
- Extra Expense: An extension of the System Failure coverage, this provides coverage in the event of the costs that are associated with responding to or remediating an incident. This could include overtime for your employees, the cost to hire additional vendors, or other expenses that are outside of your normal operating costs.
As we learn of additional details, other coverages may be triggered as cyber policies are inherently broad. When you navigate how these types of events impact your insurance portfolio, it’s important to work with your insurance advisory team for more information and guidance about your specific coverage.
When should a claims notification happen?
If you were impacted by the outage, you should contact your insurance advisor to review the terms and conditions of your policy. They will help determine if it is appropriate to notice your policy, and what coverages may be triggered or impacted. Once you’ve made the decision to notify your insurer, it’s important to work with them to provide all pertinent information, including the dates and times of the outages, how it impacted your operations, sales from the prior year, two years, and three years. You may wish to hire a forensic accountant to review your financial information to assist with the claims process since some insurance policies may cover this cost.
Will this incident impact renewals?
It remains to be seen how this will play out in the insurance market as claims impacting lost revenues can often have a long tail. What we do know is that this is the largest scale outage of endpoints we have seen to date. Insurers have seen a major influx in the reporting of claims and this increased claims activity can be a driver of a hardened market. If you have a cyber insurance renewal coming up through the end of the year, work in close collaboration with your insurance advisor to learn about evolving market conditions well before your renewal. Whether or not you were impacted by this incident, an event of this magnitude may create a hardened market across the cyber insurance market.
What can we learn from this event?
Though we have yet to see the full repercussions of the CrowdStrike outage, there are some early lessons we can take away from this event, including:
- The importance of conducting risk assessments: Events such as these prove why it’s important to regularly conduct cybersecurity risk assessments within your organization, in addition to third-party risk assessments for vendors and service providers. And in instances where a cyber event does happen, cyber insurance may prove to be a valuable investment
- Assess your vendor requirements: Always be sure to review contractual agreements with your trusted legal experts so that you understand your organization’s rights, obligations, and liabilities. Consult with your legal team about how you might be able to ask vendors to purchase insurance before entering a formal agreement.
- Invest in prevention and remediation efforts: Because many organizations rely on an intricate web of technology providers, it’s important to create and continually test incident response plans for scenarios where third-party vendors experience events that impact your critical business operations. Since bad actors are opportunistic, be on alert for a potential influx of attacks, being sure to communicate with your employees that they need to be especially vigilant.
Navigating vendor risk and insurance
Because of the complex, overlaid risks all organizations face in a digitally interconnected business environment, it’s important to partner with a team of experts who understand the nuances of both cyber risk and insurance. Our team of cyber insurance experts can help you understand your company’s unique cyber risks and determine strategies that you can implement to respond to cyber events that may impact your critical business operations.
For more information, please contact your Baldwin Group advisor. The Baldwin Group’s Cyber Center of Excellence is here to help you navigate these intricate coverage questions, and assist you in managing the claims process.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
