The CrowdStrike outage has caused interruption to businesses in all sectors around the world, with those in the travel, healthcare and financial services industries particularly affected. With planes grounded and global payment systems impacted, even short outages in these sectors can quickly give rise to significant losses. Aaron Le Marquer, Head of Policyholder Disputes, considers some of the key legal issues that are likely to arise in considering coverage of CrowdStrike-related losses under cyber insurance policies.
The CrowdStrike outage is already estimated to have caused billions of dollars of losses to affected businesses. Cyber specialist insurer Beazley’s share price dropped by 7% on 19 July 2024, reflecting a market expectation that significant cyber losses would be incurred. In the meantime, affected policyholders should check the terms of their cyber coverage to consider the extent to which they are insured.
In a different context, business interruption (BI) coverage has fallen squarely in the sights of the English courts for the first time in recent years, as thousands of policyholders continue to seek indemnity for their pandemic-related losses. Although business interruption in the cyber context will no doubt give rise to novel coverage issues of its own, there will be valuable lessons to be learnt from the recent spate of Covid-19 BI litigation.
Insured peril
The first hurdle in making a valid business interruption claim (or, indeed, any insurance claim) is establishing that an insured peril (or “covered event”) has occurred.
This will be by no means certain in the context of cyber policies since there is a wide variance in coverage provided by cyber policies. Some products focus primarily on third-party losses arising from data breaches, with others tailored towards security failures and external cyber-attacks.
In the present circumstances, policyholders will need to look for insuring clauses providing coverage for “system failures” or similar. A peril with a broad definition, such as “an unintentional and unplanned interruption of computer systems”, provides wide coverage that may extend to the CrowdStrike incident; however, it may include carve outs for system failures caused by malicious attacks or other security breaches.
What if the policyholder’s systems were not directly affected by the outage, but their customers’ or suppliers’ systems have gone down, causing blocks in the supply chain that have affected the insured business? Some policyholders may still be covered if they have “dependent business interruption loss” cover or similar that expressly responds to covered events suffered by the business’s customers or suppliers.
Waiting period
Most policies specify a “waiting period” or minimum timeframe for which the insured event must continue before coverage is triggered, usually expressed as a number of hours. Depending on the drafting of the policy, this may be structured as a condition of coverage, incorporated into the scope of the insured peril itself, or take the form of an excess or self-insured retention. The distinction can be important when it comes to consideration of coverage. So, the contractual architecture of the policy and the relevant clauses will need to be fully understood to assess what coverage is available.
Causation
Having established that “system failure” or another insured peril has occurred, the policyholder must also demonstrate that its loss was proximately caused (and not just contributed to) by the peril. The claim will fail if the effective cause of loss was something other than an insured peril.
Causation in business interruption came under close scrutiny by the Supreme Court in FCA v Arch (the FCA Test Case), where it was determined that millions of occurrences of Covid-19 in the UK were each an equal and effective cause of the first UK government lockdown. A single occurrence of Covid-19 within a specified radius of the policyholder’s premises was therefore sufficient to establish the insured peril in the context of a “notifiable disease” clause.
Importantly, the Supreme Court in FCA v Arch also overturned the “wide area damage” principle first set down by the High Court in Orient Express v Generali. In that case, which concerned a business interruption claim brought by a hotel in New Orleans damaged by Hurricane Katrina, the insurers argued successfully that the proximate cause of the hotel’s loss was not the damage to the hotel itself but damage to the wider area. “But for” the damage to the hotel, the insurers said, the hotel would still have suffered the same loss anyway. The damage to the hotel was not, therefore, the proximate cause of loss, and the claim was not covered.
In FCA v Arch, the Supreme Court rejected that argument. Instead, it ruled that the correct analysis should have been one of concurrent causes, meaning that applying the “but for” test was inappropriate. Applying that conclusion to the pandemic meant a policyholder was not required to demonstrate that an occurrence of Covid-19 within a radius of its premises was a “but for” cause of loss. It did not matter that the policyholder’s losses were also caused by thousands of other cases of disease outside of the radius.
It is too early to say whether insurers will raise similar causation arguments in relation to cyber BI claims arising from a global event such as this. However, if they do, policyholders will need to study the reasoning in FCA v Arch closely to resist such an approach.
Exclusions
Having established a prima facie claim, policy exclusions must also be considered. If the loss claimed was proximately caused (even concurrently) by an excluded cause, the claim will fail. The insurer bears the burden of proving that an exclusion is engaged, but in practice, insurers regularly rely on exclusions to deny claims and expect the policyholder to prove the exclusion does not apply.
In the context of the Crowdstrike outage, relevant exclusions that might be engaged include the following:
- War
This is a controversial topic in recent times, following the introduction of mandatory cyber war exclusions by Lloyd’s of London. There appears to be no suggestion at this stage that any third party intentionally caused the CrowdStrike outage. However, were such allegations to surface with any hint that the attack may have been state-sponsored (or even “state-aligned”), the provisions of war exclusions may be engaged.
- Reasonable precautions
A typical exclusion excludes loss arising from a failure on the policyholder’s part to ensure that all systems are maintained to industry standards. Where an outage has affected businesses worldwide, policyholders may appear to have a good defence to any reliance on such exclusions. However, insurers may point to other businesses with similar systems that were not affected in the same way as evidence that the policyholder did not maintain its systems to reasonable industry standards.
- Suppliers and service providers
In some policies, cover for losses caused by insured events suffered by third-party suppliers is expressly excluded, rather than expressly covered as described above. This could be important in the present context, where both the policyholder and its third-party supplier have suffered similar systems failures as a result of the outage. In those circumstances, insurers may argue there are concurrent causes of loss, one of which is excluded. Therefore, in accordance with Wayne Tank & Pump Co. Ltd v Employers Liability Incorporation Ltd, the claim will fail. Again, the reasoning in FCA v Arch will be vital to defeating such arguments.
Quantum
Having established that a claim is covered and not excluded, what losses can typically be claimed under a cyber policy?
The core business interruption cover will typically be structured in the same way as any other form of “non-damage” BI clause: cover is provided for a loss of “income”, “revenue”, “net profit” or “gross profit”. However, somewhat surprisingly, these terms are often less well defined in the cyber context than in a traditional BI policy, meaning the true scope of cover may be ambiguous and subject to dispute. In addition to lost income or profit, most policies will provide for increased costs of working reasonably incurred to avoid a loss of profit. Cyber policies frequently also provide standalone cover for remediation and crisis response costs that sit outside of the business interruption cover.
The value of the covered claim will also depend on the indemnity period provided for in the policy. Some policies will restrict the indemnity period to the period during which the insured peril continues. Others will allow for an additional “restoration period” or a more traditional indemnity period, defined simply as the period during which the results of the business are affected by the interruption. This can make a stark difference to the level of cover provided since some businesses will continue to be affected by the outage long after it has been rectified.
Finally, the quantum of the claim will depend on forensic expert evidence to demonstrate what the performance of the business would have been in the absence of the insured peril and its underlying cause. Here, causation arguments again surface. It is important that insurers do not seek to argue that the business would have, in any case, been affected by the wider circumstances of the incident, regardless of any failure of their own systems. Following FCA v Arch, such an approach is impermissible.
Comment
The CrowdStrike outage may or may not give rise to a flood of cyber BI claims. Either way, it serves as a good reminder to policyholders to check the level of cover held and consider what claims could be pursued either in the present case or if future system failures give rise to even more catastrophic losses. The wide variance of cover available in the market means that policies are far from equal. It is therefore essential that policyholders have a full understanding of both the coverage available in the market and the coverage they have purchased.
Contact us
If your organisation was impacted by the CrowdStrike cyber outage, contact our Policyholder Disputes team Aaron Le Marquer (alemarquer@stewartslaw.com), Chloe Derrick (cderrick@stewartslaw.com), or James Breese (jbreese@stewartslaw.com).
You can find further information regarding our expertise, experience and team on our Policyholder disputes page.
If you require assistance from our team, please contact us.
Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.