A crack in the cyber insurance armour

Cyber outages like the Crowdstrike incident expose gaps in traditional insurance policies, emphasising the need for better coverage for operational disruptions

On 19 July, half the world came to a standstill. Airports were clueless, hospitals ran helter-skelter, and banks and stock exchanges braced for the worst, fearing a devastating cyberattack. A couple of hours into this chaos, as more questions began to be raised, a seemingly nightmarish answer rose to the fore—the reason for such a worldwide outage that took down an overwhelming number of Windows PCs was a fault in a seemingly routine maintenance software update.

The issue brought to the fore potential trouble that could one day cost millions of dollars and damage their overall reputation. Cyber outages are different from cyberattacks but have a similarly significant impact on enterprises’ operations. As clearly elucidated by the Crowdstrike outage, the consequences can be severe. Because of this, the question arises—can cyber insurance help cover companies in such situations?

Understanding the Outage

It is important to understand why cyber insurance is not a blanket answer and why the Crowdstrike outage happened. Put simply, the maintenance software update in question was a regular update called ‘sensor configuration update’. This update is regularly issued to an enterprise endpoint security platform, Crowdstrike Falcon.

Falcon is used in a wide range of industries, including aviation, healthcare, banking and financial services, and more. In this particular case, the sensor configuration update was being rolled out to devices running the Microsoft Windows operating system for enterprises, and the update in question was to ‘channel file 291’—which is not applicable to devices running on either Linux or Apple’s macOS computing platforms.

Most cyber insurance policies are geared towards protecting enterprises from cyber breaches, such as grave malware attacks or ransomware, not outages.

The faulty update file crashed devices running on Windows, supported by the Crowdstrike Falcon enterprise security product. This, in turn, led to devices failing to boot and rendered what is called a ‘blue screen of death’, or the infamous BSOD.

The content delivery network and cyber security service provider published a blog detailing the issue and measures being taken to rectify it. On 20 July, Crowdstrike stated, “We understand how this issue occurred and are doing a thorough root cause analysis to determine how this logic flaw occurred. This effort will be ongoing. We are committed to identifying any foundational or workflow improvements that we can make to strengthen our process. As the investigation progresses, we will update our findings in the root cause analysis.”

In India, half of all enterprises have cyber insurance policies of USD 1 million or less, indicating a lackadaisical and inadequate approach to cyber outages.

In a blog post further elucidating the impact on the same day, David Weston, Vice-President, Enterprise Security at Microsoft, added, “While software updates may occasionally cause disturbances, significant incidents like the CrowdStrike event are infrequent. We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices or less than 1% of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of Crowdstrike by enterprises that run many critical services.”

What is more important is the context that Weston provided on this outage. The top executive said, “This incident demonstrates the interconnected nature of our broad ecosystem—global cloud providers, software platforms, security vendors and other software vendors, and customers. It is also a reminder of how important it is for us across the tech ecosystem to prioritise operating with safe deployment and disaster recovery using existing mechanisms.”

Crucial for Insurances

This bit of context is crucial in this regard. Cyber outages are typically infrequent, but when they happen, they can affect a wide range of connected platforms and bring them down. In the future, more severe outages can, at least on paper, also affect power grids, oil refineries, and high-security banking operations—businesses that are increasingly connected nowadays.

Sectors like energy, oil and gas, and utilities include third-party-induced downtimes in insurance policies largely due to the sensitive nature of their work.

Insurances, to be sure, do not typically cover such aspects. Most cyber insurance policies are geared towards protecting enterprises from cyber breaches such as grave malware attacks or ransomware. In these cases, insurance providers consider enterprises’ work to adopt adequate cyber security postures and offer damage coverages to account for the revenue lost by businesses due to these attacks.

However, outages work differently in this regard. They are not deliberate damages inflicted upon companies but occur due to mistakes. In March this year, a survey of enterprises by Uptime Institute found that 54% of companies’ most significant network outages cost over USD 100,000. For 16% of them, the cost of outages to enterprises was over USD 1 million.

Yet, cyber insurance policies differ widely in terms of covering outages. A whitepaper published by cyber security firm Sophos in June this year said that sectors such as energy, oil and gas, and utilities are likely to include third-party-induced downtimes in insurance policies that they pursue, largely due to the highly sensitive nature of their work. For other sectors, this priority is far less.

Case in point: a survey by Deloitte from October last year found that in India, over half of all enterprises have cyber insurance policies worth around USD 1 million or less—thus marking a lackadaisical and inadequate approach to thinking towards cyber outages. On this note, the latter is unlikely to be a part of such small insurance coverage.

As a July report by S&P Global said, cyber outage insurance is available in the market but is not as widely adopted as cyber security insurance policies. Ryan Griffin, partner at US insurance brokerage firm McGill & Partners, flagged the Crowdstrike event as “a material event that causes a real re-evaluation of the scope of coverage being provided.”

However, experts in this sector said that the ground realities are different due to India’s vast diversity of enterprises. A senior executive at one of India’s top tech outsourcing firms, who requested anonymity, citing confidentiality of the company’s cyber insurance strategies, said that most enterprises differ in their outlook towards such incidents.

“All said and done, outages such as the Crowdstrike incident on 19 July are not everyday affairs. Most companies typically work in a distributed, multi-cloud environment for enterprises that generate up to USD 100 million in quarterly revenue. This further means that the chances of total outage for an enterprise are quite low. This puts off information security chiefs from spending on heavy cyber insurance policies—who mostly opt for standardised ransomware insurance policies in India,” the executive added.

“It is arguable if this rationale makes sense or not. With this Crowdstrike-Microsoft incident opening many eyeballs to the perils of connected infrastructure, perhaps we may see some rationalisation of cyber insurance costs, which could encourage more ventures to get outage covers, too,” he said.

By Vernika Awal

feedbackvnd@cybermedia.co.in