CrowdStrike outage: will cyber insurance respond?

Chris Erfurt, Mark Waller and Thanaphol Pattanasri
30 Jul 2024
2.5 minutes
The CrowdStrike incident has highlighted the fragility of digital networks, and it seems likely that further similar events will occur. Policyholders should critically review the scope of their existing cover and consider obtaining the broadest possible cover moving forward.

On Friday, 19 July 2024, many businesses were confronted with a blue screen of death.

The CrowdStrike software outage caused business interruption which, despite the relatively short duration, was significant for sectors such as financial services, transportation and healthcare, and may also have residual effects. The Australian Industry Group has reportedly estimated the damage bill to run into the billions of dollars.

In the meantime, affected policyholders should check their insurance policies, particularly cyber, to see whether they are insured.

Cyber insurance response

The scope of cyber insurance varies, but may comprise both cover for liabilities to third parties (eg. for data breaches) and cover for their own first party losses, including incident response expenses and business interruption losses caused by a cyber incident. A starting point is for policyholders to check:

  • What heads of cover (eg. business interruption) are included.
  • Whether the relevant insuring clause(s) has been triggered – in particular, if the trigger is a “Cyber Incident” or similar, how broad is that definition and does it encompass the CrowdStrike software outage? A broad trigger may extend to a failure or series of failures of an internal or external computer system (but the trigger may be narrower).
  • Whether there is any exclusion or sub-limit for a widespread event.
  • Whether there is any other exclusion which may apply to the outage or the losses.

If a policyholder’s systems were not directly affected by the outage, but those of their suppliers were, it is possible that business interruption cover extends to losses caused by events suffered by suppliers.

Most cyber insurance policies specify a “waiting period” or time deductible (usually as a number of hours, eg. 12) for which the incident must subsist for the insuring clause to be triggered or before a policyholder can claim.

If cover under the insurance is triggered, the policyholder will still need to prove that the relevant losses were “proximately caused” by the incident (in essence, that the incident was the reason for (not just a contributor to) the losses). In the COVID-19 business interruption insurance test cases, in which we acted for policyholders, insurers argued that outbreaks of COVID-19 within a 20km radius of a business were not a proximate cause of business interruption losses and that losses were caused by the broader outbreaks, but the Full Federal Court of Australia rejected that argument and upheld the reasoning of the Supreme Court in the United Kingdom that if there are concurrent proximate causes of loss, cover may still be available provided that one of those concurrent proximate causes is not excluded by the policy (LCA Marrickville Pty Limited v Swiss Re International SE [2022] FCAFC 17). It remains to be seen whether and how insurers will approach causation in relation to claims related to the CrowdStrike outage, but the issue will be:

  • clearer if the policy expressly covers widespread events; and
  • potentially problematic for policyholders if the policy expressly excludes (rather than includes) losses caused by events suffered by suppliers, as that may be argued to be a concurrent proximate cause of the loss.

The quantum of any loss which a policyholder is entitled to will depend upon the policy limits, sub-limits, chosen mechanism for calculation (eg. revenue, gross profit or net profit) and relevant definitions, and indemnity period (which may be limited to the duration of the event or may also extend to any “recovery period” spent dealing with residual effects). The policy may also contain a “trends clause” which provides for adjustment to be made to, in essence, reflect the results the business would have achieved but for the incident.

Other insurance

It is possible that traditional business interruption insurance policies may respond to the CrowdStrike outage, and for affected businesses that is worth checking, but typically those policies require physical damage as a trigger, and may also expressly exclude cyber incidents.

Other insurance policies like travel and event cancellation insurance could also be relevant.

Looking ahead

Affected policyholders should check their policies, seek legal advice if in doubt, and should not rely on general statements made by insurers, their industry bodies or brokers about whether and how policies respond or are “intended” to respond.

More broadly, the CrowdStrike incident has highlighted the fragility of digital networks, and it seems likely that further similar events will occur. Policyholders should critically review the scope of their existing cover and consider obtaining the broadest possible cover moving forward. Insurers may also seek to introduce exclusions to limit their exposure to similar future incidents (similar to “communicable disease” exclusions which were almost uniformly applied post-COVID-19).

Get in touch

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.