Cyber liability insurance policyholders have begun notifying insurers of potential business interruption and system failure claims as companies continue to reboot their systems following the massive CrowdStrike-related outage late last week.
In many cases, cyber policies should respond, though payouts will be determined by individual wordings, size and breadth of deductibles, and proof of financial loss, cyber experts say.
While total losses related to the incident are expected to be in the billions, they are not expected to reach reinsurance layers.
Numerous organizations, from airlines to health care facilities to government agencies, reported problems with their systems and operations Friday. The outages were caused by a faulty software update at CrowdStrike Inc., whose cybersecurity software is used by many organizations.
In a letter to customers posted on CrowdStirke’s website, the company apologized for the outage and said it quickly deployed a fix.
Companies that were affected by the outage have already begun notifying insurers that they may have claims, and many cyber liability policies are worded in ways that would provide coverage, experts say.
“This is a system outage event, not a cyberattack. A well-crafted cyber insurance policy should include system failure/accidental outage coverage,” said Meredith Schur, New York-based U.S. and Canada cyber practice leader at Marsh LLC.
As of Friday, more than 75 Marsh clients had notified their cyber insurers of potential claims, she said.
“This is an unfortunate event but one the cyber insurance market has anticipated. It is exactly why organizations purchase cyber insurance,” Ms. Schur said.
Policy provisions likely to respond to CrowdStrike-related claims include coverage for business interruption losses, system failure losses and contingent system failure losses, said Adam Lantrip, Atlanta-based executive vice president, professional and cyber solutions practice leader, at CAC Specialty.
Larger policyholders will likely have comprehensive coverage, but smaller companies may have more restrictive policy wordings, he said.
“It’s likely that insurers would be on the hook, or at least there will be claims triggering the policies. Whether they get over the waiting period or the dollar retention is still too early to determine,” he said.
Deductibles and waiting periods vary by policy, Allen Blount, New York-based national cyber practice leader at Risk Strategies Co., said in an email.
“A waiting period can be as little as eight hours to as high as 24 hours, with 12 hours being most common for middle market-sized companies. Deductibles can be as low as $5,000 to as high as $1 million or more,” he said.
Policyholders who think they will have a claim should determine when they were affected by the outage, document their losses, tabulate normal and customary income versus what was recorded during the outage, determine which of their vendors were affected and notify their insurers, Mr. Lantrip said.
Preliminary market estimates for global insured losses from the incident are in the mid-to-high single-digit billion range, which would not reach most insurers’ reinsurance layers, Fitch Ratings Inc. said in a note.
“We expect claims will be mostly within the retentions of primary insurers,” Fitch said.
