Mint explainer: Why cyber insurance plans may need to include buggy software updates

Under normal circumstances, such a question would sound odd since one would assume that most companies would have insured themselves against data breaches, ransomware attacks, cyberattacks and other such business interruptions or even power outages.

But Friday, 19 July, was not a normal day. An apparently simple and routine “sensor configuration update” by a CrowdStrike product paralyzed millions of Windows-run computers, servers and other such endpoints, globally. The glitch triggered the dreaded Blue Screen of Death (BSoD), crippling the services of airlines, brokerages, financial institutions and even media houses worldwide.

To recapitulate, CrowdStrike routinely provides sensor configuration updates to the “Channel Files” of its clients as part of the protection mechanisms of its Falcon platform. The Channel Files on Windows systems reside in the following directory: C:\Windows\System32\drivers\CrowdStrike\ and start with the “C-” letter and a unique number to identify each file.

In this case, the impacted Channel File ‘291’ is named “C-00000291-” and ends with a .sys extension, which indicates that these are system files consisting of drivers and settings for hardware devices. They are critical for ensuring that hardware components function correctly and that the operating system (OS) runs smoothly, which explains why the error triggered a failure or BSoD.

CrowdStrike insists that the issue, which “is not the result of, or related to, a cyberattack”, has since been corrected “by updating the content in Channel File 291 (which systems running Linux or macOS do not use)”. But not all agree that the issue has been fully resolved.

Patchwork or complete job?

For one, this product was perceived to be the gold standard in its segment and is being used across endpoints and servers by some of the world’s top brands. Hence, any breach of this nature has an immediate business impact and opens up the likelihood of potential cybersecurity threats until fully addressed. Further, because this product operates across multiple cloud environments, its impact is more significant than a typical outage at a single cloud service provider.

Due to the extensive work required to secure millions of endpoints and servers for the largest organizations globally, it may take months before end-user organizations can consider their environments fully secure, argues Sanchit Vir Gogia, chief analyst, founder and CEO of tech consultancy firm Greyhound Research. The company’s immediate workaround, too, is to boot machines and operate them in the ‘safe’ mode. “But lest we forget, it’s only a workaround and not a permanent solution, and it has opened up corporate networks of some of the world’s largest organisations to hackers and other players with malicious intent,” he cautions.

“The onus of this incident also lies with Microsoft, which needs to do a much better job ensuring any new software patches and major updates have a far more rigorous process of approvals,” Gogia opines. He reasons that in a world full of microservices and application programming interfaces (APIs), the fault lines are thin, and even a minor error in code can virtually halt critical systems, as it happened on 19 July.

“If outages and serious issues like this continue, large clients with critical apps would have little choice but to repatriate from cloud services and manage their environment. While the suggestion may seem outrageous given the deep impact on business, potential lawsuits and other potential cybersecurity threats that arise from incidents of this nature, this choice will be aggravated by the strong data privacy laws that are being introduced across key countries,” he adds.

Why do companies need comprehensive cybersecurity policy?

Outages can prove very expensive. According to the ‘Annual outage analysis 2024’, released by Uptime Institute in March, “more than half (54%) of the respondents to the 2023 Uptime Institute data centre survey say their most recent significant, serious or severe outage cost more than $100,000, with 16% saying that their most recent outage cost more than $1 million”.

Hence, other than the possibility of any lawsuits arising from this incident and other penalties that Crowdstrike may have to face, the fact is that companies must build in redundancies and disaster recovery plans by adopting a multi-cloud strategy to distribute workloads across multiple providers to reduce reliance on one provider and ensure uninterrupted service during outages, especially in a world of interconnected devices, known as the internet-of-things (IoT) world. But companies must also consider a comprehensive cybersecurity cover as opposed to “half baked, incomplete, and skeletal policies for a technology environment that is becoming complex as they transition more to the cloud”, according to Gogia.

The reason is that cyber insurance policies typically cover a wide range of incidents, including data breaches, ransomware attacks, and business interruption due to cyber incidents. However, coverage for issues related to software updates such as failures or vulnerabilities introduced during updates–like the CrowdStrike one, would depend on the specifics in the terms and conditions of the specific cyber insurance policy. Some policies may include coverage for losses resulting from software failures, while others may exclude such incidents.

Ironically, CrowdStrike itself has tied up with insurance companies. “…CrowdStrike understands the nuances of cyber insurance, and we have a team dedicated to working with the cyber insurance community. Our AI-native cybersecurity platform is increasingly important not only to the organisation’s security, but also its insurability,” said Daniel Bernard, chief business officer at CrowdStrike, when introducing the company’s ‘Falcon for Insurability’ product in June this year. Other than the fact that CrowdStrike products are supposed to protect its clients, it’s also not clear if this insurance product covers software update bugs too.

The Indian cyber insurance market was valued at $50–60 million in 2023, and is forecast to grow by 27–30% in the next 3–5 years, driven by an increased awareness of the need for cyber insurance, according to an October 2023 survey of chief information security officers (CISOs) by Deloitte titled, “Cyber Insurance in India”.

However, the survey also pointed out that three-fourths of respondents possessed cyber insurance coverage of Rs.100 crore or less, with over 50% having less than Rs.10 crore of coverage. Finance and banking along with IT firms emerged as major investors, while consumer firms exhibited lower spending. However, the survey said no respondents expressed a desire to discontinue their existing policies. Further, while 30% of respondents believed purchasing cyber insurance provides value for money, 15% considered it costly. And about 45% of respondents noted “a substantial mismatch between the premium paid and the insurance coverage received. Most of these firms belonged to the consumer sector”.

According to the Munich Re Cyber Risk and Insurance Survey 2024, too, 87% of global decision makers say their company is currently not adequately protected against cyber-attacks, let alone buggy software updates as seen on Friday. The survey points out that cyber risks continue to increase, driven by rapid technological advances such as generative artificial intelligence (GenAI), or cloud technology.

“Global industries are increasingly dependent on IT, IoT (Internet of Things), OT (Operational Technology) and digital services, such as cloud computing, each of which represent a critical part of the supply chain for many risk owners. Furthermore, the advancing sophistication of cyber criminals and the tense geopolitical situation shape the cyber threat landscape and pose a threat to global societies and democracies,” the survey notes. Clearly, companies have their work cut out when it comes to protecting their business.