The global Microsoft outage that grounded flights, canceled nonessential surgeries and halted operations for countless businesses could exceed $1 billion in insured losses, according to reports. The technology outage, which began July 19 after a faulty software update by CrowdStrike shut down 8.5 million Windows computers around the world, left many large and small companies unable to function — and some were still struggling to get back up and running nearly a week later.
Featured Solutions
Insurance industry experts expect that the outage will lead to an influx of business interruption claims, which could be covered by a company’s Cyber & Privacy Liability Insurance. While it is unclear how many businesses lost revenue during the blackout, the $1 billion estimate of economic costs is not surprising, said Derek Kilmer, Associate Managing Director, Broker, Professional Liability, Burns & Wilcox, Detroit/Farmington Hills, Michigan.
“This is one of the most severe outages that we have seen,” he said. “It is extremely serious.”
Smaller businesses were hit particularly hard by the outage, according to a Fortune report, with business owners from psychiatrists to restaurateurs sharing that they were unable to assist clients, pay employees or conduct other services. “This was probably the most impactful cybersecurity event in recent memory,” said Abby Egeh, Senior Underwriter, Professional Liability, Burns & Wilcox, Vancouver, British Columbia. “It was such an unprecedented event.”
Lost income during system outages may be covered by insurance
About 78 minutes after it began, CrowdStrike issued a fix for the outage, which some experts have called the largest IT outage in history, according to CNBC. The company also emphasized that the blackout was not caused by a cyberattack or any other security situation. However, it could reportedly take weeks for all computers to be fully restored, The Independent reported July 22.
For some industries, there has been a ripple effect where being shut down for three to four hours could cause days or weeks of issues.
“Every business was affected differently,” Kilmer said. “It may be affecting the small- and medium-sized businesses the most because CrowdStrike is taking care of the large-scale providers first.”
Many users were “back up and running fairly quickly,” Baxter added, but others were not. “It just depends on the industry,” he said. “For some industries, there has been a ripple effect where being shut down for three to four hours could cause days or weeks of issues.”
Cyber & Privacy Liability Insurance is designed to respond to cyberattacks by providing assistance with customer notification, investigations, data recovery and more following a data breach. The policy can also respond to non-malicious events such as the Microsoft outage. This coverage can help pay for lost business revenue, damage to computers or other systems, reputational harm, and more.
“It may not be the typical cybersecurity event that most business owners are considering because it was a mistake and not a malicious event, but it is still going to have a pretty substantial impact on the business,” Egeh said. “Most of the more robust Cyber & Privacy Liability Insurance policies have a section that addresses system damage and business interruption.”
Some business owners may forgo this coverage, not realizing its importance, while others may have policy limits that are insufficient for the potential losses they could face. “Many business owners would not have enough coverage to subsidize a long-term outage of days or weeks,” Kilmer said, so it is important to review these options with an insurance broker. “The policy can definitely provide the resources to get them back and up and running sooner rather than later if they do not have in-house IT support.”
System damage, lawsuits possible after outage
Waiting periods and deductibles for business interruption claims may vary on Cyber & Privacy Liability Insurance, so it is important to review policy selections regularly. According to Egeh, business owners “really need to think about how much time is going to pass before they start losing money” if their systems were shut down, she said.
Beyond solutions for the loss of business income, companies should also ask their insurance broker about how outage-related software damage and third-party losses could be covered by their policy. According to MIT Technology Review, unlike a ransomware attack, the Microsoft outage is unlikely to cause significant lasting damage to affected systems. However, if computers did suffer long-term damage from the outage, this could potentially be covered by Cyber & Privacy Liability Insurance, Kilmer said.
“There is always the potential that this event caused actual damage to the system,” Egeh added. “If your software is not working now or you have to put new systems in place, Cyber policies often have a system damage section that can provide coverage.”
This type of insurance could also help pay for legal defense and other expenses for lawsuits filed against the business over the outage. The outage was so widespread that there will “absolutely” be lawsuits filed in relation to it, Egeh said. Depending on the lawsuit, coverage may also be triggered under Professional Liability Insurance, Directors & Officers (D&O) Insurance or other policies.
“With hospitals being unable to access their client systems, for example, there may be damages that could arise out of this incident. There are other policies that may have to respond to this, as well,” she said. “A lot of policies could be triggered here.”
Understanding how your insurance could respond to a system outage is key, Baxter said. “Ask questions about limits, sublimits, and what can be negotiated,” he said.
Overreliance on tech could make companies more vulnerable
According to USA Today, CrowdStrike advertises that it is used by over half of Fortune 500 companies, while Microsoft provides about 85% of productivity software used by the U.S. government. In Canada, where the outage impacted air travel, emergency communications, and healthcare facilities, experts have warned about the threat of further outages due to increased centralization of data storage, the National Post reported.
Often with insurance, it takes a big loss for individuals to pay attention, and perhaps this is the big loss that will get them to pay attention.
“The more we rely on technology, the more of this that is going to happen,” Kilmer said. “Companies should be checking into their response plans and timelines for these situations and how quickly they can get up and running internally.”
Society’s increasing reliance on technology “is becoming a bigger issue every day,” Baxter agreed. “Some companies can continue to operate even if their computer system is shut down and some are 100% reliant on their networks being up,” he said.
In addition to purchasing Cyber & Privacy Liability Insurance, business owners should prepare their “plan B” for a system outage and ensure their systems are always backed up, Egeh said. “Be prepared with a different way to operate and understand the impact on your clients if your systems go down,” she suggested. “Firms that have outsourced their IT are probably feeling the hardest hit right now because those teams might be scrambling with all their other clients. Making sure you know your IT and their capabilities is an important risk management step.”
For some companies, the Microsoft outage could be the “wake-up call” that is needed to take greater cybersecurity risk management measures, including the purchase of insurance. “Often with insurance, it takes a big loss for individuals to pay attention, and perhaps this is the big loss that will get them to pay attention,” he said.
