One of our guests posed this question to me during a panel session at our launch event yesterday.
The timing was uncanny. We were launching our insurance entity amidst a significant IT outage that affected CrowdStrike and many of its customers globally.
Since then, many of you have also asked me the same question privately.
With more details coming to light, I'd like to share our perspective.
The CrowdStrike incident is considered non-malicious, but due to the complexities of cyber insurance, insurance coverage for such events can vary widely. While some policies might offer protection, others may exclude non-malicious events.
Let's first explore three key factors influencing whether such outages are covered.
One of the first things to consider is the specific exclusions outlined in a cyber insurance policy. Many policies differentiate between malicious and non-malicious events. An outage caused by a cyberattack, such as a DDoS attack, is more likely to be covered under typical cyber insurance policies.
However, coverage becomes less specific if the outage stems from a non-malicious event, such as a technical glitch or human error.
Policyholders must carefully review their policies to understand which scenarios are expressly excluded.
Another critical factor is the policy's waiting period.
This period must pass before insurance coverage kicks in after an incident occurs. For instance, if an outage lasts only a few hours but the policy has a 24-hour waiting period, the insured entity may not be eligible for a claim.
Sublimits also play a significant role. Even if the policy covers the type of incident in question, sublimits may cap the amount claimed for specific losses. For example, there might be a sublimit on coverage for business interruption losses caused by non-malicious outages, which could significantly reduce the payout.
Deductibles are another aspect to consider.
They represent the amount the insured must pay out-of-pocket before the coverage begins. High deductibles can render more minor claims impractical, as the costs incurred may not exceed the deductible.
Despite these complexities, the Crowdstrike incident highlights the critical importance of having cyber insurance.
IT outages can lead to significant financial losses, and having some form of coverage can provide a safety net to protect a company's balance sheet. Interestingly, the team at Protos Cover just conducted a Business Continuity tabletop exercise with one of our clients earlier this week.
IT service outages can happen to anyone at any time. It may affect your business, suppliers, or clients.
While navigating the nuances of policy details can be challenging, the potential financial impact of not having coverage is a risk that most organizations cannot afford to take.
In conclusion, while the answer to whether cyber insurance covers outages like the CrowdStrike incident is complex, understanding your policy's specific terms, exclusions, waiting periods, sublimits, and deductibles is essential.
These factors all contribute to the final determination of coverage.
At Protos Cover, we are committed to helping our clients navigate these complexities to ensure they have the protection they need in an ever-evolving cyber landscape.
Reach out to our team at Protos Cover for a detailed review of your policy and to ensure you're adequately protected against all possible cyber risks. Book a time with us here.