Last week’s major technology outage, which disrupted numerous industries globally, has led stakeholders to reevaluate the language used in cyber policies. The absence of standardization in the cyber insurance sector has emerged as a significant concern.
This event is potentially the most notable cyber accumulation loss since the 2017 NotPetya attack, though the total losses remain unclear until certain variables specific to the cyber insurance sector are clarified.
The network outage will likely trigger extensive business interruption and contingent business interruption coverage within cyber insurance policies. Preliminary analysis suggests that coverage will include system failures due to non-malicious acts, including human error.
A crucial element in assessing network interruption claims is the policy waiting period – the time the network must be down before the policy activates. Typical waiting periods range from 4 to 12 hours, depending on the industry and organization size.
Standard time deductibles are generally between 8-12 hours but can be as short as 6 hours or as long as 24 hours. An examination of several leading cyber insurers’ policy wordings revealed varied approaches to covering “system failure” or “non-malicious” events. Some top carriers include this in their standard policies, while others offer it as an endorsement with restrictions in certain industries.
The outage might also lead to claims in other insurance lines, such as directors and officers insurance. For example, a stock drop in a publicly traded company affected by the outage might lead to class action lawsuits. However, historical data shows that securities class action litigation stemming from tech incidents has not been very successful. Additionally, derivative lawsuits alleging breaches of fiduciary duty could arise if companies struggle to resume operations.
There is potential property exposure from technology failures, especially if property and casualty (P/C) policies do not explicitly exclude cyber risks. Past incidents have highlighted “silent cyber” exposures, prompting many insurers to revise policy wordings. However, insurers who haven’t addressed this with specific exclusions might face property or bodily injury exposure.
Cyber insurers should use this event to evaluate policyholder supply-chain dependencies, assess potential aggregation across commonly used technologies, and recalibrate risk tolerances accordingly. They should maintain coverage until the full impact is clear.
The July 19 outage was caused by an update from an endpoint detection and response (EDR) provider, which crashed millions of Microsoft Windows devices. Although reported that less than 1% of Windows machines were affected, the economic and societal impacts were significant due to the EDR provider’s use by enterprises running critical services.
Despite the non-malicious nature of the incident, the automatic update resembled a supply-chain attack. The affected industries, including airlines and hospitals, cannot afford downtime, and recovery might extend over days or weeks. Many cyber insurers require EDR when underwriting, making enterprises using the EDR provider more likely to have cyber insurance. However, coverage extent and policy terms vary widely across the industry.
Insurers will need to assess each client’s policy individually to determine their exposure. The implications of this event on how coverage is triggered remain uncertain.
This network outage will clarify how coverage within original policies, reinsurance contracts, and catastrophe bonds applies to widespread incidents. It will focus on policy wordings, such as whether non-malicious events are covered and if the event qualifies as a significant magnitude incident.
While the incident is likely to cause insured losses in the mid- to high-single-digit billion-dollar range, it is not expected to materially impact insurers’ financial results. However, it highlights the growing risk of single points of failure (SPoF). SPoF risks have been modeled for cloud outages and popular software but are less understood for industry-specific software. Using multiple vendors can mitigate SPoF risks but also adds complexity and costs.