loading...

News

Lessons learned: Andy Coleman explores the D&O impact of the CrowdStrike outage

By this point in time, we’re well used to seeing high-profile, highly-publicised cyber incidents making the news.  But in July of this year, one incident made global news, serving as a stark reminder of the vulnerability of our tech-driven society.

US cybersecurity firm, CrowdStrike, experienced a major outage due to a problematic software update. This issue caused crashes on about 8.5 million Windows devices worldwide, disrupting a huge number of industries, including finance, healthcare, and transportation. As a result, flights were grounded, payment systems stopped working, and many digital services went offline.

The fact that this widespread disruption came as a result of a simple error, rather than a malicious attack made it notable, and though the fix was found and corrected relatively quickly, the fallout lasted much longer.

Insurance Costs

The insurance cost of the incident was relatively low, with estimated insured losses ranging from $300mn – $1bn, a fraction of the costs of similar ransomware attacks.

The industry appears to have got off fairly lightly, the non-malicious nature and speedy fix likely limited the potential cost of claims, but is there a costly lesson here for Directors and Officers of companies impacted by the incident?

OneAdvent D&O Class Underwriter Andy Coleman doesn’t think so.  As part of an in-depth investigation into the incident by Insurance Post, he commented:

“It’s hard to see a case for a D&O response to the incident and I don’t anticipate claims any time soon”.

The widespread and unexpected nature of the attack and the fact that it was caused by an automated upgrade rather than any defined wrongful act, makes it difficult to assign any negligence to any client director or officer.

Andy continued:

“Once the initial cyber and BI fall-out has cleared, there may be some who attempt recovery via a D&O policy, particularly in the American market where it’s much easier to bring an action. However, at the heart of the issue, is the lack of a defined wrongful act. 

I expect there will be some on the Plaintiff’s Bar who will try to sue after finding some small print in the licensing contract.  There may also be an argument over why choose CrowdStrike vs. another provider, but this issue was so widespread, so unexpected, that it would be very difficult to assign any negligence to any board and its directors or officers”.

However, despite the relatively low cost to the industry, the CrowdStrike outage has provided a wake-up call to companies and insurers alike, particularly in understanding and managing their supply chains and the potential domino effect of this type of incident.  But for now, at least, it appears the directors and officers are firmly off the hook… this time.

Read Andy’s insights in full here (subscription required).

Latest News

Ready to take the next step?

Request a call back.

Let’s get the conversation started today.

Sign an NDA.

Take the first step in the next stage of your MGA business.