By now, you’ve probably read the headlines about the CrowdStrike outage, billed as the largest global outage event in history. Causing 8.5 million Microsoft-enabled machines to lapse into an infinite “blue screen of death” loop, this horrific system crash affected nearly 25,000 international flights, disabled emergency call centers, blocked customer logins for banks, delayed stock trades, shut down surgery suites, and inspired general business mayhem for days. CNN reported losses for the Fortune 500 alone could top more than $5.4 billion.
So, what caused such a catastrophic outage? Could it be ransomware? A large-scale coordinated attack from a hostile nation-state? A diabolical social engineering campaign? The answer is far more mundane—and scary. The bug resulted from a tiny glitch in CrowdStrike’s systems that got pushed out as part of a Microsoft update. Because CrowdStrike is a cybersecurity tool used by tens of thousands of companies, one small bug is all it took. Worse yet, many of those companies found out their cyber risk insurance wasn’t written to cover business losses due to this kind of outage. Let’s get into why.
The CrowdStrike Outage—What Happened?
CrowdStrike is a company that offers additional third-party cybersecurity tools that watch over the safety of your systems. This particular outage had to do with Falcon, CrowdStrike’s service that monitors all the individual computers and devices on its client’s systems for suspicious activity—a type of tool known as “Endpoint Detection & Response.” This powerful tool learns what “normal” activity looks like on your system, so if a flurry of strange activity, out-of-place login attempts, or data dumps occur, Falcon can identify and turn off the actions before a hack can even be completed. CrowdStrike creates “templates” that tell the system what to flag to catch this activity. When Microsoft issues an update, CrowdStrike creates new templates that will work with Microsoft’s updated programming. A small problem with a single template caused a mismatch between the latest code and the computers reading them— creating an infinite blue screen login loop that made computers completely inoperable. A slip in quality control missed the issue before it was automatically pushed to all their client’s endpoint computers.
Many Managed Service Providers, such as Integris, use a different EDR platform, so most of their clients were not directly affected by this particular outage. However, many companies, including one of our agencies, were impacted when the third-party systems we rely on were caught in the CrowdStrike outage. During that time, many insurance carrier sites and our agency management platform software were down, preventing us from making sales. So be sure to consider what other companies (and their systems) you rely on to run your business and protect it accordingly.
Why Were So Many Companies Uninsured for This?
Only a small handful of companies offer this essential type of cybersecurity monitoring, and CrowdStrike is considered a best-in-class tool. It’s not hard to see why so many companies and institutions trust them to watch over their systems. But here’s the problem: When a critical security system like this breaks, a small problem can bring businesses to a halt. Two aspects of cyber risk insurance policies come into play:
- Many policies are written to cover business losses from outages on your system. Unfortunately, CrowdStrike is a “third-party provider.” Because they caused the outage, some cyber risk insurers would not cover it, saying it was “out of scope” of their policies’ terms and…
- Many policies focus more on covering malicious outages than accidental outages like CrowdStrike. Including system failure coverage is not at all unheard of, but it does vary between policies and obviously costs more than not covering it.
Actuarial Post predicts the Cyber Risk Insurance industry will pay out about $1.5 billion in claims due to CrowdStrike—a fraction of the actual business costs in the market. Luckily, getting a cyber risk policy that ensures your business is covered for third-party systems and system failures is not complicated or prohibitively expensive. Here’s what you need to do to make sure you’re protected and getting your fair share when the worst happens.
How to Ensure You’re Covered for a CrowdStrike-Like Outage
Every company should have cyber risk insurance to help mitigate any costs associated with ransomware, malware, and other cyber threats. But if your business loses money quickly when its systems are out, a well-considered cyber policy is even more critical. If your business handles sensitive data (personal health records, consumer contact information, etc.) or operates in a highly regulated industry (financial services, etc.), your policy will need to be comprehensive, and your premiums will be higher. If you’re looking for cyber risk insurance or evaluating your current one, be sure to ask for a policy that covers: This includes the lost revenue because of outages on your system and the business opportunities you cannot enjoy because of them. Think hard about what it might mean if your systems rendered you unable to communicate with clients, deliver services, or complete transactions. Also, consider any systems or software you depend on from a third party or vendor. Make sure you have Contingent Business Income Coverage for any business losses that might occur if third-party vendors or software that connects to your system go down.
System Failure Losses—
This type of loss arises from system failures, such as human error, like the CrowdStrike outage.
An Appropriate Deductible—
Commonly called a “Retention” on your Cyber Policy, this deductible is what you pay before the insurer begins paying—an amount your business can handle in case of a claim. Put this as high as your business can handle because that will lower your premium and allow you to buy more coverage in the case of a catastrophe. A catastrophe is what you’re buying insurance for anyway—right?
A Waiting Period Matched to the Speed of Your Business—
Most cyber risk policies have a “waiting period” around outage payouts. This means there are not covered hours during your outage, usually giving you time to put in a fix before the insurer must start paying. If your business can tolerate a longer waiting period before losses start piling up, you can use this as an opportunity to keep your premiums down. If every minute down means large transactions are lost, then a very short waiting period is in order.
Want to Ensure a CrowdStrike-Style Outage Doesn’t Take Down Your Revenues? Integris Can Help
EA Partners works with Integris to provide its Integris Cyber Insure to its clients. In my opinion, it’s one of the most comprehensive plans you can buy for the price. We’d love to help you create a customized cyber risk insurance plan to cover your organization for all the significant risks in our online world. Contact us today for a free consultation.
