Cyber insurers examine common tech dependencies after crash

Guy Carpenter will assess the impact on tail risk and the $15.5b industry.

Cyber insurers are urged to take advantage of the recent cyber outage to evaluate their policyholder dependencies, assess potential aggregations across commonly used technologies, and adjust risk tolerances accordingly, warned Guy Carpenter.

On 18 July, cybersecurity firm CrowdStrike released an update for its Falcon Sensor product, designed to detect threats at computer system endpoints. 

The update caused widespread crashes on computers running Microsoft Windows, affecting various industries including airlines, banks, retailers, and hospitality. The issue has so far only impacted Microsoft systems with no reported effects on other operating systems.

Cyber insurance typically covers business interruption due to network outages, including those caused by system failures resulting from non-malicious acts like human error. 

This coverage also extends to Contingent Business Interruption (CBI) if a vendor's outage impacts the insured's network operations. 

Key to assessing network interruption claims will be the policy's waiting period, which varies between 4 to 12 hours depending on the industry and organisation size.

Though specific scenarios for widespread outages from software updates aren't typically modelled, analogous scenarios involving IT service disruptions can help estimate losses. 

These models consider impacts on IT services, customer and sales effects, and recovery challenges. Guy Carpenter is working with cyber catastrophe vendors and conducting its own analysis to provide insights to clients.

Impacts on cyber reinsurance

System failure losses will be covered under traditional proportional and aggregate reinsurance structures. Recent trends show a shift towards targeted catastrophe covers that address specific scenarios. 

Recoveries from these event-based products will depend on how coverage is defined between malicious and non-malicious incidents. Guy Carpenter will assess how this event affects tail risk assumptions and the broader $15.5b global cyber industry.

Companies involved or affected may face increased D&O claims, particularly if stock prices drop significantly, potentially leading to class action lawsuits or shareholder derivative suits alleging board breaches of fiduciary duty.

As technology integration continues, insurers need to consider the physical consequences of tech failures. 

Exposure for P&C policies will depend on how cyber risks are addressed and whether policies include “silent cyber” exclusions. 

Policies silent on cyber risks may face claims for bodily injury or property damage resulting from system failures.