by Jerry Gupta, Head of Insurance, Armilla AI
July 19th is a wake-up call for the insurance industry and for businesses in general. A regular software update from CrowdStrike resulted in widespread outages in Microsoft systems causing computers to display the blue screen of death.
While the exact economic losses from this incident are yet to be determined, they are likely to run to billions of dollars. From airline passengers to patients in hospitals to Government agencies and businesses, all have been impacted by this incident. As the losses are being assessed, it is important for those of us in the insurance industry to recognize the fact that the ‘business as usual’ approach to insuring digital risks cannot work anymore. This event will inevitably result in a large number of claims and some carriers will have their worst nightmare about accumulation risk become a reality. These lessons will be hard, but if the insurance industry chooses to learn from the ongoing ramifications of the Microsoft-CrowdStrike outage it may yet pay dividends for its approach to insuring other digital risks, such as AI.
Cyber insurance is unlikely to respond to this event, as it was not a malicious attack. However, those insurers who have not explicitly stated that their policies apply only to attacks remain fairly exposed, as they will be at the receiving end of claims related litigation. The stock price hit that Beazley and Hiscox took on Friday indicates that the market believes this as well.
Errors and Omissions insurance (E&O) is the most likely coverage to respond, but most enterprises do not carry E&O insurance. It is typically vendors like CrowdStrike who carry this coverage, but in this instance, CrowdStrike will breach its limits very quickly. Moreover, CrowdStrike’s terms and conditions limit indemnity and exclude consequential losses, leaving impacted companies with very little recourse except to look to the courts, where net relief may be minimal. Ultimately, the events should trigger greater scrutiny of the indemnities, representations and warranties provided by tech vendors. Public statements and claims made by vendors in marketing collateral imply a degree of assurance about their warranties, but often they are not often reflected in the actual contractual terms and conditions.
After CrowdStrike, Microsoft is likely to be the next target for claims. Microsoft, however, is mostly self-insured and does not have the claims management capacity of large insurance companies making it unclear what level of relief customers might receive. At any rate, typical indemnities provided by technology companies are minimal and rife with clauses designed to limit liability.
Further complexity arises if AI played a significant role in this incident. Was the system update released by CrowdStrike tested or approved by an AI system? What was the level of human decision-making in the process? Were there known defects in the testing process or update before it was released? Was the mistake made by a human or AI? These are all questions that the E&O insurer will ask.
The contribution of AI to this incident is an important question to ask. E&O policies are geared to cover the “failure of [a] technology product or service to perform as intended.” Let’s assume an AI-based testing and deployment tool was used that has a 95% accuracy rate, meaning it performs as intended 95% of the time. This implies that a 5% failure rate is expected and is considered a normal function of the product. In this case, how would an insurer respond if the system has been performing as intended 95% of the time, and this incident was part of the expected 5% defect? This raises crucial questions about the applicability of the E&O insurance market to AI-driven tools. Given the presence of AI silent cover in this coverage, are the insurers who underwrite this prepared for an AI contagion?
The CrowdStrike incident - and the serious complications arising from AI’s potential involvement - highlight the insurance industry’s lack of preparedness in handling digital risks. Product philosophy remains based on a 700-year-old maritime policy, and the industry is not equipped to handle the pervasive and persistent nature of digital risks.
Not unlike natural catastrophe (NatCat) events, Friday’s DigiCat event will have seismic impacts on insurance. We will witness claims filed under policies that were not designed to respond to these kinds of events, leaving many insurers exposed because of unclear wording or and inadequate pricing. Because CrowdStrike’s limits will be exhausted long before customers have been made whole, we can expect impacted businesses to file claims on their own policies, be they Cyber, Directors and officers (D&O), E&O or Commercial general liability (CGL). Since there is enough ambiguity in many of these policies, this will result in litigation. Whether insurers pay out or not, it is certain that they are in for lengthy litigation on this.
Digital incidents typically occur in an instant and can have impacts at a global scale. As we assess the fitness for purpose of existing insurance policies with respect to other digital risks, such as AI, where the damages and liabilities flowing from inaccurate or biased algorithms accrue more silently, and incrementally until exposed by outside events, we should ask ourselves whether it is time for greater clarity on the questions the Microsoft-Crowstrike outage raises for AI. Were an “AI incident” of massive proportions uncovered today, how would you file a claim?
In conclusion, given the lack of good understanding of digital risks and poor wording in policies, we can anticipate a fairly turbulent period for insurers - and tech E&O policy holders. Our hope is that this will result in much-needed self-reflection amongst insurers which will compel them to start examining their policy wordings and make every effort to remove ambiguity. We have already seen Zurich Insurance explicitly exclude “system risk” from their EPLI policies, and we expect more to follow as insurers make every effort to carve out AI risks and other digital risks from their existing policies.
