CrowdStrike outage a ‘stark reminder’ of cyber threat
“This was not a cyberattack,” US cybersecurity firm CrowdStrike said on Friday, as it apologised for an outage that sparked global chaos.
But in many ways it felt like one – and there’s a certain irony that a cybersecurity vendor’s apparently flawed update led to the kind of disruption that it seeks to prevent.
As Moody’s RMS reports, while the event was not malicious, its impact mimicked a supply chain attack, as airlines, hospitals, banks and thousands of businesses were impacted.
The automatic update is understood to have caused an issue through its interaction with Microsoft Windows, causing cascading and widespread disruption.
Some 8.5 million Windows devices were affected. About 3000 flights were cancelled, and another 24,000 delayed.
“The quickly deployed security patch dramatically spread among interconnected systems, businesses, and so on – more typical of a cyber event, where a nefarious threat actor deploys a malicious patch,” Damini Mago, associate director of product management, cyber at Moody’s RMS, said.
“Unlike a malicious attack, due to the vendor’s trusted position within the networks of affected enterprises, this update event could skip the initial access hurdle and many other kill chain steps, and avoid protective, defensive measures designed to thwart threat actors.
“The operational disruptions caused by this incident are not just technical-related, but have real-world consequences, from reported flight delays to postponed medical procedures.”
The implications for the insurance industry are not yet clear. While travel insurers expect claims, and there may be liability issues to unravel, most commentators don’t expect significant business interruption claims to result.
“Insurance claims generally require damage to property,” Berrill and Watson Lawyers principal John Berrill said.
“It’s got to be damage to your equipment or your supplier’s equipment. In some BI policies there is a claim if there is damage caused to utilities, but they have got to be public utilities, and this is not.
“So I don’t think there is a BI claim and I don’t think there is a property damage claim under business policies. Whether there is a class action in all this, that’s a different ball game.”
A note from Aon says analysis of cyber policies reveals a range of approaches to “system failure” or “non-malicious” events, and time deductibles of varying lengths are typically applied.
Aon says the incident is likely to be the most important cyber accumulation loss event since NotPetya in 2017, but adds the “overall loss quantum is currently uncertain”.
Mark Darwin, senior adviser at Herbert Smith Freehills, says even if cover is triggered then the time limits may scupper any potential claim.
“A lot of small businesses wouldn’t be likely to have the right cover, and if they do I’d have thought the time deductible would stop them from making a claim.”
The Insurance Council of Australia says it is too early to comment on likely claims outcomes with any certainty.
“Insurers will need to properly understand the cause of the outage, how it relates to each customer, and the cover selected under the policy – noting that in most cases business interruption has to be opted into by the customer or broker,” a spokesperson said.
“As all insurance policies are different, particularly those that cover commercial operations, it’s important that customers contact their broker or insurer to discuss this issue if they believe they have a loss.”
Whatever the outcome on coverage, Moody’s RMS says there are key lessons to be learnt around testing and validation, rollback mechanisms, communication and support, and insurance policy clarity.
“This incident acts as a wake-up call and highlights several key lessons for enterprises, the cybersecurity and cyber insurance industry at large.
“[It] is a stark reminder of the delicate balance between maintaining security and stability in the cybersecurity realm within our increasingly interconnected and complex digital landscape.”