Last week, a global tech outage triggered by a software update from cybersecurity firm CrowdStrike disrupted organizations using Microsoft Windows across the world.

“We currently estimate that CrowdStrike's update affected 8.5 million Windows devices, or less than one percent of all Windows machines," Microsoft said on Saturday. While personal devices were unaffected by the outage, businesses around the world were unable to access their systems.

CrowdStrike, a global cybersecurity firm, has since developed a fix for the issue but the impact of the outage delayed thousands of flights, interrupted hospital and banking systems, and disrupted routine and daily business transactions.

More than two-thirds of breaches globally involve a non-malicious human action, according to Verizon's “2024 Data Breach Investigations Report," and the outage underscores that no organization is immune to cyber incidents—whether it was caused by a hacker or not.

As the affected businesses get back online, here are three takeaways for independent agents from the outage:

1) Business continuity planning extends to technology issues. With hurricane season in full swing, the business continuity conversation focuses on how to prepare and respond to a hurricane. However, as the CrowdStrike outage confirmed, even something as innocent as a software update has the potential to evolve into a full-fledged catastrophe.

Cyber incidents present an existential threat, which is why every business should develop and regularly update comprehensive disaster recovery and business continuity plans to ensure that they know how to maintain operations during various types of disruptions, including cyberattacks. Among other preparedness steps, businesses must implement reliable data backup systems and ensure that critical data can be quickly restored in case of an outage.

“This outage was a stark reminder that significant outages can happen at any time and without warning, even if you've done everything possible to mitigate the risk," says Chris Cline, executive director of the Big “I" Agents Council for Technology. “While any disaster is horrible for all people and businesses involved, we must consider a massive technology or cyber incident with just as much focus as other natural disasters and risk." 

“This recent outage emphasizes the importance of an updated and well-socialized disaster plan that includes how your business will perform essential functions if completely unable to access client records, carrier systems, phones and any core operating system," he said. “This incident also demonstrates that a company can be compliant, contractually aligned, train their staff and still be a victim of intentional or accidental technology-related incidents."

2) Understanding cyber liability insurance is a necessity. Financial losses for Fortune 500 companies, excluding Microsoft, from the CrowdStrike outage is estimated to be $5.4 billion, according to modeling and insurance services firm Parametrix estimates. However, the outage is not expected to be a major loss event for the property & casualty insurance market. This presents an opportunity for agents to educate themselves and their clients about what is covered under a cyber liability policy since policies can vary from carrier to carrier and may treat non-malicious actions differently.

Policy provisions that may respond to CrowdStrike-related claims include coverage for business interruption losses, system failure losses and contingent system failure losses. While some policyholders may have fairly comprehensive coverage, “others may have more restrictive policy wordings," explains Carla McGee, assistant vice president of Big “I" Alliance Blue. “The wording for business income and extra expense coverage is significant. Some policies provide coverage for both systems failure and security failure while some policies may only provide coverage for security failure."

Further, most policies also have a deductible, and waiting periods could be another issue. Waiting periods refer to the period a business is offline before it can submit a claim and vary by policy, which could affect the claim. Waiting periods can vary from 1 to 24 hours.

In any event such as this “businesses that suffer an outage should determine when they were affected by the outage, document their losses, tabulate normal income versus what was recorded during the outage, determine which of their vendors were affected, and notify their insurer," McGee says. “Some policies also cover the cost to hire a forensic firm to document the lost income and additional expenses incurred due to the disruption. This coverage is typically applied via endorsement and can be called Proof of Loss Preparation Expenses."

“Some cyber policies provide pre-claims assistance for policyholders to seek guidance without fear of triggering a claim. This is valuable to policyholders as time is of the essence," she adds. “Carriers who can quickly respond to an incident can work to mitigate the incident, resulting in policyholders experiencing less frequent and severe claims." 

3) Vet your technology partners and review agreements. A well-regarded technology partner with a solid reputation is often more reliable. However, CrowdStrike's outage shows that even established firms can face issues, making it vital to vet partners thoroughly.

The outage illustrates the need for technology partners who can provide reliable and resilient services. Agents should prioritize partners with a strong track record of minimal downtime and robust disaster recovery plans. Also, the ability of a technology partner to communicate clearly and promptly during an outage is critical. The CrowdStrike incident underscores the importance of transparency in how issues are managed and resolved.

A service provider's obligations to the user are usually laid out in writing in the service level agreement (SLA). Agents should review SLAs to understand the expectations and obligations regarding uptime, support response times, and communication during incidents.

“It's important to review all the terms and conditions of a technology vendor agreement, including the service levels the vendor commits to provide," says Eric Lipton, Big “I" senior counsel. “The SLA should clearly define minimum standards of service and quality assurances, including specific response and incident resolution metrics."

“The SLA will also ideally include 'teeth,' which provide for predetermined service level credits should the vendor fail to satisfy its representations," he adds. "Users can also request for language that requires the vendor to maintain a business continuity plan in connection with data security requirements."

Will Jones is IA editor-in-chief.