CLIENT ALERT: Microsoft Outage Highlights the Need for Robust Review of Cyber BI and CBI Insurance Coverage

On Friday, July 19, 2024, a “cyber outage” to systems relying on Microsoft Windows systems reportedly caused by a faulty software update resulted in massive disruptions to businesses across the world. Experts have asserted that this event was the “largest IT outage in history.” The enormous disruption to emergency services and airlines has been well reported: 911 emergency services across the country were down and thousands of flights had been cancelled. But these issues are just the beginning, and the ripple effect this outage has had and will continue to have across a multitude of businesses likely will not be known or quantifiable for weeks, if not months. It remains unclear how supply and distribution chains have been affected by this situation and how long it will take systems to normalize.

Just last month, Olshan provided commentary to Law360 in an article discussing the impact and insurance implications from a cyberattack on a software vendor that caused widespread disruption to automobile dealerships around the country. The July 19 Microsoft outage has a much broader impact, but many of the insurance issues remain the same. Companies need to assess their cyber liability insurance policies and focus on business interruption (or “BI”) and contingent business interruption (or “CBI”) coverage opportunities to minimize their losses through insurance recovery.

Ordinary BI coverage applies when a company’s own computer systems are attacked or are rendered inoperable, resulting in an interruption of the company’s business and loss of revenue. This type of coverage is important, and any company suffering a direct interruption to its own IT infrastructure should be reviewing the scope of its BI coverage. Such coverage can include payment for both the lost income caused by an interruption and the extra expenses incurred in responding to the interruption and getting the business up and running normally.

CBI differs from ordinary BI coverage because CBI coverage is triggered by the failure of computer systems not owned by the company. Policy terms can vary, but often this coverage extends to vendors providing outsourced IT services and logistical support. Policyholders should be careful to check the full scope of potential vendors to which the CBI coverage may apply, including reviewing potential coverage available under traditional property policies. For example, one important question may be the extent of available coverage for the disruption to the policyholder’s logistics networks caused by a cyber outage impacting a traditional distributor of the policyholder’s products. Even though the distributor is not providing IT-related services to the policyholder, the cyber event affecting the distributor is still potentially causing substantial interruption losses. The only way to determine whether available coverage is broad enough to cover this risk is thorough review of potentially applicable policy language.

Careful policy review is also important because CBI coverage is not universally contained in all cyber insurance policies. Even when it is included, the coverage may not be clearly identified as “contingent” business interruption coverage. Further, types of events that trigger the insurance coverage should also be carefully examined. While most cyber insurance policies provide coverage for malicious attacks on computer systems, not all contain language that extends coverage to situations when either the modification of software or the access to computer systems is authorized, even if that authorized access results in an interruption because of erroneous or negligently performed work. Careful review of policy language is critical to ensuring that all possible avenues of loss recovery have been explored.

Please contact the Olshan attorney with whom you regularly work or the attorney below if you would like to discuss further or have any questions regarding your business’ interruption losses and the availability of insurance coverage.

This publication is issued by Olshan Frome Wolosky LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising.
Copyright © 2024 Olshan Frome Wolosky LLP. All Rights Reserved.