What some call the largest IT outage in history was caused by a faulty software update, not a cyber attack. But the team at Broadstone thinks the CrowdStrike debacle this summer will move the cyber liability insurance market anyway. “The CrowdStrike event, along with other recent cyber incidents like MoveIT, Change Healthcare, CDK Global, and Snowflake, highlights the significant systemic risks in our digital supply chain,” says Bharat Raj, Head of London Markets at Broadstone.
Among other impacts from the CrowdStrike event is proof positive of the interconnection and interdependencies in the global IT system, where even a single error (or hack?) has the potential to disrupt businesses aross the world. And this highlights the limits of current cyber risk modeling, according to Broadstone, a UK-based consultancy known for its expertise in areas such as insurance and data analytics. Cyber insurance brokers and companies are now working to create comprehensive inventories of technology assets to better assess such vulnerabilities, according to the Broadstone report. All of this feeds into the debate over systemic risk posed by cyber events and the so-called “insurance gap” between what’s covered now and the total downside of a systemic cyber attack (and growing calls for governments to back-stop the insurance industry for systemic risks.)
One concrete impact from the CrowdStrike mess, Broadstone suggests (and we agree), is more demand for coverage of cyber losses, suach as business interuption, caused by “non-malicious causes.” Cyber security insurance buyers are no doubt asking themselves: “If I’m covered for criminal hackers taking down my system, am I also covered if a screw-up by a software vendor has the same impact?”