This article provides an update to a post published on July 23, 2024 by Mark Pring, Andy Moss, and Cristina Shea, which can be found here.
It has now been over a month since cybersecurity technology company CrowdStrike rolled out a defective software update that rendered over 8 million computers around the globe temporarily inoperable. The outage affected airlines, government agencies, banks and financial services companies, hospitals, manufacturers, retail stores, and broadcasting companies, among many others. While some computer systems were able to be restored in a relatively short time, the fallout from the CrowdStrike outage is ongoing.
Litigation Has Begun But the Outcome of Those Cases Remains Uncertain
Following the July 19, 2024 outage, various plaintiff groups have filed or are planning to file class action lawsuits against CrowdStrike. Shareholders have alleged that the company made false and/or misleading statements to investors regarding its internal controls and testing, resulting in substantial financial, legal, and reputational harm to the company.[1] Airline travelers have filed proposed class action lawsuits against CrowdStrike for harms and losses resulting from cancellations and delays.[2] Some of CrowdStrike’s customers are also reportedly preparing to file suit against the company due to alleged financial and reputational damage to their businesses because of the outage.[3] Further, some of CrowdStrike’s customers are reportedly being investigated by the U.S. Government over their response to the outage.[4]
All of this goes to show that what may start as a singular IT event can ripple across the economy, causing a variety of different losses and implicating a variety of different insurance coverages, including cyber (for system failure and/or business interruption loss), CGL (for third party lawsuits), and D&O (for government investigations).
Losses Are Still Being Calculated
Global insured losses related to the CrowdStrike outage are estimated to range between $400 million and $1.5 billion, potentially making it one of the largest cyber insurance losses ever. Given the unique nature of the occurrence and the different types of policies at play, it is still too early to accurately estimate the extent to which total losses will be covered by insurance.
Some Losses Are Expected to Be Covered by Insurance
For companies that have cyber insurance coverage and suffered a loss from the CrowdStrike outage, the claims process should be straightforward. As an executive from one of the largest insurance brokers recently stated, these losses are “absolutely something that is expected to be covered under cyber insurance.”[5] But in reality, it remains to be seen how vigorously insurance companies will push back on these claims.
Nonetheless, if a cyber policy has “system failure” coverage, then coverage for the CrowdStrike outage might be more likely. As one example, Beazley, a major cyber insurance carrier, offers policies providing coverage for “[b]usiness interruption loss that the insured organization sustains as a result of a security breach or system failure that the insured first discovers during the policy period.”[6] “System failure” in that policy means “an unintentional and unplanned interruption of computer systems.”[7] Accordingly to Beazley, this policy would cover situations when a system glitch causes a retailer’s point of sale systems to go offline and prevents the retailer from making sales.[8] This would appear to be exactly what happened to many companies during the CrowdStrike outage, where their systems unexpectedly went offline, disrupting their businesses and causing them to lose income as a result.
Limitations May Exist
Nevertheless, cyber policies vary widely and many policies have exclusions or limitations that may be applicable. For example, cyber policies covering business interruption loss may include a waiting period for coverage. Under those types of provisions, a certain amount of time has to pass—typically 8 to 24 hours—before business interruption losses under the policy are triggered. As a result, coverage may turn on the length of the waiting period and how quickly computer systems were restored.
Another area for potential limitation in coverage is whether an entity’s cyber policy protects only the policyholder against system failures, or whether coverage is extended to losses caused by disruptions to business partners or suppliers. Whether these types of supply chain losses are covered will depend on the specific language in the policies.
Policyholders Should Move Promptly to Evaluate Coverage and Plan for the Future
As always, it is best to get ahead of these potential issues as early as possible, reviewing your coverages, and working with coverage counsel.
Few firms have the depth of experience and knowledge in this area as Reed Smith. If you are considering bringing a claim for the CrowdStrike outage, or are interested in reviewing your current coverages, Reed Smith’s Insurance Recovery Group can help. As one of the firm’s premier practice groups, and with insurance recovery lawyers across the globe, we are uniquely positioned to serve our clients in all aspects related to losses arising from system and network outages and failures, cyber events, and other tech-related business interruptions. Our expertise in this space allows us to provide our clients with the most up-to-date knowledge and experience in identifying and accessing your insurance recovery options.
[1] Jonathan Stempel, CrowdStrike is sued by shareholders over huge software outage, Reuters (August 1, 2024), https://www.reuters.com/legal/crowdstrike-is-sued-by-shareholders-over-huge-software-outage-2024-07-31/.
[2] Jonathan Stempel, Crowdstrike is sued by fliers after massive outage disrupts air travel, Reuters (August 5, 2024), https://www.reuters.com/legal/crowdstrike-is-sued-by-fliers-after-massive-outage-disrupts-air-travel-2024-08-05/.
[3] Delta Air Lines CEO says CrowdStrike outage to cost carrier $500 mln, CNBC reports, Reuters (July 31, 2024), https://www.reuters.com/business/aerospace-defense/delta-air-lines-ceo-says-crowdstrike-outage-cost-carrier-500-mln-cnbc-reports-2024-07-31/.
[4] David Shepardson and Rejesh Kumar Singh, US opens probe into Delta following widespread flight cancellations, Reuters (July 23, 2024), https://www.reuters.com/business/aerospace-defense/us-opens-probe-into-delta-following-widespread-flight-cancellations-2024-07-23/.
[5] Evan Gorelick, Tech Outage Spurs Insurance Clients to Ready Cyber Claims, Bloomberg News (July 19, 2024), https://www.bloomberglaw.com/product/blaw/bloomberglawnews/insurance/BNA%2000000190-cd71-da8a-a99e-dff337b40003.
[6] Cyber BI Guide, Beazley.com, https://cyberservices.beazley.com/usa/bi_guide/policy_wording.html (last accessed Aug. 28, 2024).
[7] Id.
[8] Id.