Global IT outage: Who will foot the bill as insurance claims reach billions of dollars?

Insurance claims after last week’s global IT outage are expected to reach billions of dollars, with economic losses set to be even higher, analysts said. An IT outage caused by a faulty CrowdStrike software update on Friday disrupted operations across industries including aviation, health care and banking. The aviation sector was the worst affected, with several airlines cancelling flights amid the crisis. The issue has largely been resolved, but some portion of the losses will be covered by insurance providers, analysts said. “We expect increased litigation against IT providers and their insurance companies," Marcos Alvarez, managing director of global insurance ratings at Morningstar DBRS, told The National. " Ultimately, a portion of the economic losses generated by this global IT disruption will be borne by the insurance industry." IT providers will probably need to "trigger their own general and professional liability policies, which can potentially provide coverage for third-party cyber liability", he explained. While companies affected by the incident will also turn to their business interruption policies, most exclude coverage for cyber events. In that case, cyber insurance policies with business interruption coverage would be relevant for this type of event, Mr Alvarez said. Business interruption insurance is a type of commercial insurance that protects companies against loss of income suffered as a result of a suspension of its activity. Travel insurance claims are also expected to go up as after flights were cancelled or delayed. Delta Air Lines and its regional affiliates cancelled more than a quarter of their schedule on the east coast of the US by mid-afternoon on Friday. Other global airlines also announced disruption to schedules. Samer Hasn, market analyst at brokerage firm XS.com, said that, while the costs of the losses will fall on insurance providers, the incident is complex. "It is not yet possible to determine who is responsible for bearing this burden due to its wide geographical scope and the multiple affected industries, each of which may be covered by a different type of insurance policies," he said. “Cyber security policies only cover losses resulting from hacks and data loss resulting from cyber crimes and malware. Most importantly, these policies may exclude losses resulting from failures caused by employees or system failures resulting from some external factors.” He added that the policies may be bound by time clauses. For instance, it might require at least 12 hours of business disruption to trigger a claim. “Some of these policies require a minimum amount of losses or a period of time before the compensation clauses are triggered ... [also] not all insurance policies cover this special type of accident and it may [need to] be purchased or added to policies separately," Mr Hasn said. Most companies with a cyber insurance policy will probably file claims with their current insurers, said Mr Alvarez. "In terms of which part of the insurance market will bear most of the claims, we expect that speciality insurers [such as the large Bermuda reinsurers] and the Lloyd’s of London market will have the largest claims exposure to this event." Marsh, the world’s largest insurance brokerage firm, said “it is too early to say” the scale of potential claims in the global cyber insurance market, but that “there is a potential for cyber insurance claims, cyber contingent business interruption claims, and tech E&O claims”. E&O claims, also referred to as technology professional indemnity claims, arise as a result of negligence in the provision of professional services. “This is an unfortunate event, but one the cyber insurance market has anticipated,” said Simon Bell, managing director and cyber practice leader for India, Middle East and Africa at Marsh Specialty. “It’s exactly why organisations in the region need to actively assess their risk transfer mechanisms including the purchase of cyber insurance as a matter of priority.” On Friday, the UAE said the global outage had a minor effect on the operations of the country’s airports and airlines. The Ministry of Foreign Affairs said its electronic systems were affected and told customers to refrain from making transactions. The incident also had a limited effect on Saudi Arabia's government departments, state news agency SPA quoted the National Cybersecurity Authority as saying on Saturday.

Global IT outage: Who will foot the bill as insurance claims reach billions of dollars?

Travel insurance claims expected to go up after flights were cancelled or delayed during CrowdStrike incident, analysts say