Will the recent CrowdStrike outage trigger cyber insurance premium increases for end customers, MSPs or MSSPs? It’s a good question, particularly since the Crowdstrike outage wasn’t triggered by a cybersecurity event but instead by a system update issued by the company. How will insurance companies account for that?
Will Brooks, channel chief at cyber insurance provider FifthWall, explained to MSSP Alert that insurance companies may change how they insure CBI or contingent business interruption. CBI insurance is a type of coverage that protects businesses from financial losses caused by disruptions to their suppliers, customers or other third parties. CBI can be an optional rider to a standard business interruption policy and is sometimes called "dependent business interruption" insurance.
Brooks said that this kind of coverage could change in the wake of the CrowdStrike outage.
“We might see some kind of endorsement or exclusion around contingent business or dependent business interruption,” he said. That would represent a shift from what he called the “soft market of 2022/23,” when, in order to compete, many carriers offered CBI/DBI coverage, not only for a cyberattack but due to a network outage.
Understanding Your Policy is Critical
Brooks believes the moral of the story is to know what’s on your policy.
“Business owners across the board should be asking their agent if DBI coverage due to a third party is covered under their policy, as well as what the waiting period to file a claim is,” he said. “On most policies today it’s between 8-12 hours, so think one to one-and-a-half business days. I’m not sure how many businesses were back up and running in that time, but it's good to know how long your waiting period is.”
Will Cyber Insurance Premiums Increase Post-CrowdStrike?
FifthWall advisor Wes Spencer, co-founder of Empath Cyber, believes the jury is still out on the impact to insurance premiums.
“I don't think we'll see premiums affected all that much,” he told MSSP Alert. “But let me caution, it's too early to truly know. That might seem shocking, but the reality is that EDR (endpoint detection and response) is extremely important to cyber insurance overall.”
Spencer said he does expect carriers to reassess their "preferred" vendors.
“CrowdStrike has always been viewed as a top tier EDR, and honestly still should be,” he said. “But this is certainly going to cause many carriers to reassess which EDRs they wish to work with the most. It may also cause them to analyze their clients for concentration risk of having too many insureds with the same EDR.”
Addressing the Question of Liability
Spencer advised that MSSPs and MSPs could face legal action from their customers over the CrowdStrike outages. But the question remains, who is liable?
“The MSSP/MSP didn't make a mistake in this situation,” he said. “They used a reputable product. We'll see how courts decide. Regardless, MSSPs and MSPs who carry tech E&O (errors and omissions) policies will be thankful. Even if the MSSP or MSP isn't held liable, the E&O policy may cover legal fees and other court costs.”
Spencer reminded that the root cause of the CrowdStrike outage was user error — someone deploying an update that caused the outage. Because the bug was in CrowdStrike's Falcon platform update for Microsoft Windows, computers using other operating systems (e.g., Mac and Linux) were not impacted.
“We really saw no physical damages associated with this outage, no explosions, meltdowns or dams bursting,” he said. “That avoidance limits damages.”
Spencer added that it looks like the insurance carriers are doing all they can to limit their exposure. Even so, Fitch, a ratings services, estimates losses from this event won't surpass $10 billion globally.
“This means that the carriers have priced this risk in and can handle the damages,” he said.
Business Interruption May Not Be Covered in All Cases
However, Dustin Bolander, CEO of Beltex, a cybersecurity insurance policy designed for MSPs, told MSSP Alert that there are going to be a lot of people surprised to find out that they are not covered, as most cyber insurance policies are designed around an attack.
"I do not believe that many on the insurance side considered this type of incident," he said. "I was looking at a policy for a financial services company earlier this week and it specifically excluded software design flaws. My guess is we’re going to see a lot of exclusions for the business interruption coverages this falls under."
Related Article
More In-Depth Coverage of the CrowdStrike Outage on MSSP Alert
