After a software update for CrowdStrike’s Falcon Sensor product caused a mass global IT outage last Friday, there’s been a lot of discussion in the risk transfer industry about the potential fallout, as the event is expected to test the cyber insurance and reinsurance marketplace.
In its analysis of the cyber incident, reinsurance broker Guy Carpenter notes how the event demonstrates a single point of failure for a complex, global IT supply chain.
“Cyber insurers should use this event to evaluate policyholder supply chain dependencies, assess the potential for aggregation across commonly used technologies, and recalibrate risk tolerances accordingly,” says Guy Carpenter.
As highlighted by the broker, cyber insurance provides for broad coverage of business interruption resulting from network outage, and the trigger for this protection includes system failure resulting from non-malicious acts, including human error, which extends to contingent business interruption (CBI) caused by an outage of a vendor on which an insured relies to operate its network.
“Critical for evaluating network interruption claims will be the policy waiting period for which the network must be impaired before the policy responds. Typical cyber waiting periods vary depending on industry class and organizational size with 4–12 hours being most common,” explains Guy Carpenter.
Adding, “CBI losses arising from a widely deployed technology present reinsurers with an acute risk for unexpected aggregation. Technologies with large market shares create potential single points of failure that can lead to systemic events yielding claims from a large number of insureds.”
While Guy Carpenter expects system failure losses to be in scope for traditional proportional and aggregate structures, the broker notes that at recent cyber renewals, reinsurance buying behaviour has shifted towards targeted catastrophe covers, which in many instances respond to specifically defined catastrophic scenarios.
“Event-based products and the definitions behind them are unique to the cedent’s view of risk and how coverage was negotiated. Recoveries from event- based products will differ based on how each underlying wording differentiates coverage between malicious and non-malicious cyber incidents,” continues Guy Carpenter.
While this event is expected to be somewhat of a defining moment for the cyber re/insurance market, Guy Carpenter has warned that given the magnitude and scope of the outage, “we may see consequences that affect product lines beyond cyber risk, most prominently directors & officers (D&O) and property/ casualty (P&C).”
“We may see implications on the D&O towers for companies both involved in or impacted by today’s incident. In general, a 10% intraday stock drop for a publicly traded company may incentivize the plaintiffs’ bar to file a class action lawsuit. Subsequent share price moves and any ultimate recovery may also impact the likelihood of litigation,” says the firm.
Historically, explains Guy Carpenter, securities class actions arising from technology incidents have fared poorly. But in addition to securities class actions, the reinsurance broker warns that firms that are involved in or impacted by the mass outage may face greater exposure if they struggle to restore operations and may also face shareholder derivative suits alleging the board’s breach of fiduciary duty.
In terms of P&C reinsurance impacts, Guy Carpenter underlines that given the ongoing integration of IT and operational technology, insures must also consider the physical consequences that may arise from technology failures.
“Potential exposure for P&C policies will depend on how insurers address cyber as a peril and whether the policy includes a “silent cyber” exclusion. Policies remaining silent on cyber risk may be exposed to ensuing bodily injury or property damage as a result of cyber-related system failure,” concludes the broker.
0 Comments