Editor's Note: This article originally appeared in Carrier Management. Reprinted with permission, this piece contains helpful tips for all organizations that rely on third-party software and firmware updates in their day-to-day operations.
Imagine arriving at London’s Heathrow Airport only to find your flight merged with two others and chaos reigning supreme with baggage scattered everywhere. This was the real-life impact of the recent Microsoft outage, experienced firsthand by many travelers. The global implications of this outage extended beyond delayed flights and lost baggage, underscoring the vulnerabilities in our digital ecosystem and the need for thorough preparedness.
The Microsoft-CrowdStrike outage occurred on July 19, 2024, and had immediate and widespread impacts, affecting businesses globally. The outage was reportedly sparked by a botched CrowdStrike software update and took thousands of Microsoft systems around the world offline.
Operations were halted, data access was disrupted, and communication breakdowns occurred. Hospitals faced delays in patient care due to inaccessible medical records. Grocery stores experienced supply chain disruptions that affected inventory management. Airlines dealt with flight cancellations and rescheduling problems. Financial institutions experienced transaction delays and security concerns. Retail businesses struggled with point-of-sale system failures and customer service interruptions. According to Microsoft’s blog, the outage impacted approximately 8.5 million Windows devices, demonstrating the extensive reach and severity of the event.
The incident was a wake-up call for businesses about the importance of robust cybersecurity measures and reinforced the need for testing and contingency planning in patch management processes. It also shed light on the vulnerability of interconnected systems and the role that major service providers play in the global economy, where a single failure can cascade into substantial economic losses and operational setbacks. According to GovInfoSecurity, losses from this event could cost cyber insurers $1.5 billion, with overall monetary losses to businesses anticipated as high as $5.4 billion, as reported by DarkReading.
Understanding the terminologies is crucial in grasping the full scope of such incidents and possible insurance coverage. Two key terms are contingent business interruption (CBI) and contingent system failure (CSF).
CBI and CSF impact businesses differently, so from an insurance standpoint, they are not always covered the same way. Insurance policies for CBI focus on losses from supplier disruptions, while CSF coverage addresses failures in critical systems. Payouts can differ based on the cause of the interruption and the specific terms of each policy.
Businesses need separate plans for each scenario. A CBI plan might focus on alternative suppliers and maintaining supply chain resilience. A CSF plan could emphasize cybersecurity measures and backup systems to keep operations running smoothly.
By understanding these differences, business leaders can manage risk comprehensively and better prepare for potential disruptions.
The Microsoft-CrowdStrike outage revealed key lessons in vendor management and business continuity. It called attention to the need for rigorous vendor management and quality assurance to ensure the robustness and security of vendors’ systems. Further, the incident underscored the significance of business continuity and incident response plans to quickly address and mitigate disruptions.
Quality assurance, in this context, refers to the systematic process of validating that vendors’ products and services meet specific standards of quality, particularly in their update and patch management protocols. Vendors, including major technology providers like Microsoft, must be rigorously assessed to confirm their systems are secure, reliable, and functioning as intended. Essential questions to ask vendors include:
Maintain an ongoing dialogue with vendors about their security measures and incident response capabilities. Establishing clear expectations and performance benchmarks can help ensure that vendors adhere to the highest standards of cybersecurity.
Robust business continuity and incident response plans, with alignment and buy-in from all areas of the organization, will help ensure you have the decisions and processes in place if an incident occurs. Having these plans in place ahead of time will allow you to act more quickly to minimize adverse impact. Key elements include:
Such plans allow businesses to respond to disruptions quickly and efficiently, minimizing downtime and associated costs.
In the wake of significant cyber incidents like the recent Microsoft outage, businesses are increasingly recognizing the importance of proactive risk management strategies. Such incidents underscore the need for holistic approaches to identify vulnerabilities and prepare for potential disruptions. Implementing effective risk management practices can help businesses minimize the impact of outages and support continuity of operations. Additionally, having appropriate insurance coverage, such as cyber liability insurance, can provide crucial support for businesses affected by cyber incidents.
Tabletop exercises are an effective way to prepare for cyber incidents. These simulated scenarios help teams practice their response to various threats, identify weaknesses, and improve coordination. By conducting regular tabletop exercises, businesses can mitigate the impact of outages and cyber incidents.
These exercises also foster a culture of preparedness, so employees feel more confident about handling real-world crises. For instance, during the Microsoft outage, organizations with well-rehearsed response plans were better positioned to manage the disruption and maintain operational stability. Insurance coverage that includes incident response costs can be particularly beneficial in such scenarios.
The Microsoft outage emphasized the importance of addressing human factors in cybersecurity. To minimize human error, organizations need to provide regular employee training, as well as implement robust oversight, review, communication, and documentation processes.
Vendor management and continuous oversight are also critical for mitigating risks associated with human error. By establishing strict protocols and fostering a culture of accountability, businesses can reduce preventable mistakes that could lead to system failures.
Business interruption coverage and cyber liability insurance that includes human error can help businesses recover more swiftly from incidents like the Microsoft outage, fostering resilience and sustained security posture.
Understanding your cyber policy is important to identify the protection it offers against different types of cyber risks and interruptions, such as issues from third-party vendors or direct system failures. By knowing the coverage details, exclusions, and limits of your policy, you can better prepare for potential disruptions and mitigate financial losses.
A thorough understanding of your cyber policy can improve your organization’s resilience. In the Microsoft-CrowdStrike example, a cyber insurance policy covering only CBIs but not CSFs may not be adequate for an impacted business. Each organization can look at its unique systems and processes to determine the best cyber policy for its needs. Key aspects to consider include:
Businesses need to work closely with their brokers to tailor policies that address their specific risks. This typically involves conducting a thorough risk assessment to identify potential vulnerabilities and aligning coverage with those risks.
Sublimiting refers to the practice of setting lower limits for specific types of losses within a policy. This can have significant implications for businesses. Study your policy limits and exclusions to determine how your policy would respond to various claim scenarios. Do you have adequate coverage?
For example, if your policy has a sublimit on contingent business interruption, the payout may be insufficient to cover all your losses from a third-party outage. Engaging with your broker to understand these limits and negotiating higher sublimits where necessary can provide better protection against extensive losses.
The Microsoft and CrowdStrike outage showed us that cybersecurity isn’t solely the responsibility of third-party providers. Moving forward, this incident should prompt a reassessment of cybersecurity strategies, increased investment in robust defenses, and a review of insurance policies. The potential for far-reaching consequences, from global economic impacts to the devastation of smaller businesses, emphasizes the necessity of these forward-looking measures.
As cyber threats continue to evolve, stay ahead by anticipating and preparing for future challenges. For questions of additional information, you can reach a cyber insurance and risk management specialist through our secure contact form.
Allen Blount is a Cyber Practice Leader at Brown & Brown. He specializes in both cyber insurance and tech E&O (errors and omissions). Prior to this role, he spent 12 years with Zurich North America, gaining extensive experience as a Cyber and Professional Liability Underwriting Manager. Before his insurance career, he practiced law.