The recent global IT incident caused by a technical error in CrowdStrike’s Falcon security software has brought to light a critical and often overlooked aspect of cyber insurance—the necessity to expand risk considerations beyond traditional cyberattacks.

The incident, which originated from a faulty update, affected around 8.5 million devices and caused severe disruptions across multiple sectors, including airlines, supermarkets, and financial institutions.

Insured losses from this incident are expected to be the largest from a single cyber event since the NotPetya attack in 2017, with estimates from insurers suggesting a $5.4 billion impact on US Fortune 500 companies. Interestingly, the estimated insured damages for American companies alone range from $540 million to $1.08 billion, accounting for only 10% to 20% of the total disaster cost. This underscores the evolving nature of digital risks and the urgent need for insurers and companies to adapt proactively.

Expanding risk considerations

Cyber insurers must recognize that technical errors, like the one seen in the recent CrowdStrike incident, can be as disruptive as malicious cyberattacks. Errors of this nature can lead to significant business interruptions, data loss, and financial damage. Despite these significant losses, CrowdStrike’s liability is reportedly limited to the fees paid by affected companies.

Insurers need to revise their policies to include coverage for technical glitches, ensuring comprehensive protection for their clients. Some policies already acknowledge this need, covering business interruptions caused by non-malicious events.

However, there is still room for improvement and broader adoption. Aon, a leading global professional services firm, conducted an analysis of prominent cyber insurance policy wordings, revealing a range of approaches to coverage triggered by system failures or non-malicious events. The findings suggest that deviations from standard policy forms are common, with insurers frequently adding system failure coverage through endorsements or, conversely, restricting coverage for specific risks and industries of concern.

From disaster recovery to IT resilience

Businesses must shift their focus from merely recovering from disasters to building IT resilience. This approach ensures that technical errors are managed as tolerable incidents rather than full-scale disasters. IT resilience involves proactive measures such as regular system updates, rigorous testing of backup systems, and robust disaster recovery plans. The CrowdStrike incident serves as a critical reminder that even non-malicious events can have devastating impacts if not properly managed.

To enhance IT resilience, businesses should diversify their data storage solutions, using both cloud-based and on-premises systems to prevent data loss from a single point of failure. Implementing redundant systems ensures continued operations during a technical error, while regular testing of backup and recovery systems helps identify and address potential vulnerabilities. Employee training on best practices for IT resilience and disaster recovery is crucial for minimizing the impact of technical errors.

According to IBM, the global average cost of a data breach in 2023 was USD 4.45 million, marking a 15% increase over the past three years. In response to these breaches, 51% of organizations plan to boost their security investments. These investments include incident response planning and testing, employee training, and threat detection and response tools.

Potential changes in the insurance landscape

The insurance landscape is likely to evolve in response to such outages. Insurers may revise their policies to better cover technical errors and ensure that their clients have adequate protection against a broader range of risks. This evolution will require insurers to engage in open dialogue with clients, helping them understand the importance of comprehensive coverage and the specific risks they face. According to the Insurance Information Institute, cyber insurance premiums are projected to double over the next decade. In 2022, premiums totalled $11.9 billion, and they are expected to reach $22.5 billion by 2025 and increase to $33.3 billion by 2027.

Business interruption, dependent business interruption, data restoration, incident response, and voluntary shutdown costs are expected to be the most directly affected areas of damage. According to Aon, the size of loss will depend on the prevalence of system failure coverage, which varies across the cyber market, and the time it took for companies to sort the problem compared with waiting periods in their cyber policies. Standard time deductibles for business interruption coverage typically range between eight and 12 hours, but these can be as low as six hours or as high as 24 hours because they are negotiated on a case-by-case basis.

The necessity of coverage for technical errors

In today’s tech-dependent world, insurance coverage for technical errors is not just a luxury but a necessity. Businesses rely heavily on IT systems for their daily operations, and even minor technical glitches can result in significant disruptions. Insurers must emphasize the importance of such coverage and work towards making it a standard inclusion in cyber insurance policies

The CrowdStrike incident also highlighted the vulnerability of interconnected systems and the potential for cascading failures. For instance, the outage caused gate screens to turn blue and blank at Denver International Airport, leading to significant disruptions in flight operations. Globally, over 5,000 flights were canceled, representing 4.6% of scheduled flights for that day.

As the digital landscape continues to evolve, so too must the strategies employed by insurers to protect their clients. The need for comprehensive cyber insurance that covers a wide range of risks, including technical errors, has never been more apparent. Insurers must rise to the challenge and provide the protection that today’s businesses require. Only then can we ensure that the digital economy remains resilient and robust in the face of an increasingly complex threat landscape.