In Focus: Are cyber insurers prepared for BI claims after July’s global outage incident?

When a faulty software update from cyber security firm Crowdstrike in July 2024 led to a mass, global IT outage, business interruption (BI) claims became front and centre of cyber insurers’ minds.

The widespread incident affected Windows hosts, with sectors such as aviation reporting disruption as planes were grounded.

While this was clearly not a malicious attack, the outage does fall into the cyber insurance category – this is because most of these policies have triggers for a system failure.

According to cyber insurance firm Coalition, many cyber products include coverage for contingent BI events that “result from the failure of computer systems, including applications, hosted by contingent third parties, such as cloud services and software as a service (SaaS) providers”.

Andy Parkin, client director for cyber, data and crime at broker JM Glendinning, told Insurance Times that the recent outage “has the potential to lead to a significant number of BI claims under cyber insurance policies”.

He said: “At this moment, it’s clear that the incident had a widespread impact – particularly in sectors like travel, financial services and healthcare.

“However, what is covered and by which policy will depend on specific facts and [the] circumstances of the BI event [due to] specific policy wording, as some BI events were caused by wider non IT failure, such as cancelled flights.”

System failure focus

In turn, Lindsey Nelson, head of cyber development at specialist insurance provider CFC Underwriting, said the outage incident was likely to refocus the cyber market’s attention onto systemic risk as a result of system failure events rather “than us continuing [to] debate and become distracted by the noise surrounding war and infrastructure risks”.

She added: “With all that focus on war, [for example], when it came to systemic risk, we actually forgot that it was only a subsection of [what] cyber policies intend to cover and that systems failure [are] so much more prevalent in exactly what underwriters think and price for when assessing risk.”

This type of refocus could be a crucial move given that system failures are becoming more prevalent – for example, technology assistance provider Entech Technical Solutions claimed that 48% of companies report technology-related performance issues daily.

If there are more system failures occurring, then this is inevitably going to lead to more BI claims. Parkin warned that claims were rising in general within the cyber marketplace.

He said: “As more companies are beginning to see [the] financial protection a comprehensive cyber insurance policy provides and adding this coverage to their risk and insurance programme, we are beginning to see an increased number of claims, predominantly attributable to [the] fact they have cyber insurance in place.”

Ransomware

System failures can be caused by two things – some form of network or software failure, or as the result of security breaches.

Cyber security firm SentinelOne said that breaches were, to this date, “the primary cause of system compromise” with threats such as ransomware increasing downtime.

In February 2024, a report from Node4, entitled Mid-Market IT Priorities Report 2024, revealed that IT decision-makers from the insurance sector felt that ransomware was the top cyber security risk for 2024.

This came after cyber underwriting specialist Corvus Insurance said there were a total of 4,496 victims worldwide on ransomware leak sites in 2023 – surpassing 2022’s total of 2,670.

Tom Egglestone, global head of claims at cyber firm Resilience, said that ransomware has had an impact on BI claims within the cyber insurance marketplace.

He said: “I remember a time where my underwriters would come to me and say ‘have we had any BI claims yet’ and I would say ‘no, we’ve not had any yet I’m afraid.’

“But I would say the development of ransomware has had a significant impact on that because when you’ve got ransomware threat actors encrypting systems and preventing the insured from being able to undertake their business, that leads to BI.”

Prepared?

The good news is that BI is nothing new for the insurance industry – it is common knowledge that these policies exist to cover insureds for losses due to an unexpected event.

However, according to a 2016 report by DAC Beachcroft, entitled Business interruption in the cyber domain, cyber BI claims have been a “relatively untested area” for insurers.

Within the report, Ben Hobby, a former partner at international forensic accountancy RGL Forensics and current partner at Baker Tilly US, said: “Insurers are very much in uncharted territory when it comes to cyber BI and are to some degree relying on the experience of physical BI claims.

“The challenge is to understand the nature of cyber BI and how it differs from physical BI.”

So, with these types of grey area claims becoming more common, have cyber insurers managed to get a hold on how to handle BI claims?

Parkin’s view is that insurers have become more selective in their underwriting approach over the past couple of years.

He said: “They are conducting more thorough assessments of a company’s cyber risk profile, cyber security practices and incident response.

“Cyber coverage continues to evolve, with some insurers capping the amount of coverage for high risk sectors to help manage potential losses.

“Others have increased the use of exclusions, like nation-state attacks, and introduced sub-limits for specific areas of coverage.”

Egglestone added that cyber was an “ever-changing” risk and that there was more variety now in how BI claims can present themselves.

However, he added: “A lot of people have been handling BI claims for years and there’s also a very well developed network of vendors and forensic accountants that can provide services with more complicated BI claims.

“In cyber, there’s a growing development of the expertise in that area because it’s a relatively new product. So, as time goes by, insurers are only getting more and more adept at understanding and adjusting those BI claims.”