The New York Stock Exchange network crash — a false sense of (cyber) security?
Most people were relieved when investigators determined that the recent electronic disruptions at the New York Stock Exchange and United Airlines were caused by internal glitches and not by hackers. The NYSE system crash, caused by a faulty software upgrade, and the United Airlines outage, caused by a faulty router, received great attention as pictures of (and tweets by) idle traders and travelers appeared seemingly everywhere.
Because they involved computers and networks, these outages were discussed by the media with the vocabulary normally used to describe “cyber” events. That’s not surprising, given the initial fear that the NYSE crash in particular was caused by hacking.
Many of the early articles about the coincident events expressed relief that the outages were not caused by cyber attacks, tempered by concern that our dependence on technology makes us vulnerable to potentially serious interruptions in our lives. Amid the cascading reports of cybersecurity breaches caused by criminal attacks — perhaps most notably the theft of more than 21 million records from the federal Office of Personnel Management— these outages seemed almost benign. Minimal as these outages were, they were not cost-free. The affected organizations incurred substantial forensic and IT costs in determining the cause of the outages, and in fixing the problems.
For those with a role in the insurance process — buyers, sellers, advisors and others — these events highlight both the evolution and continuing uncertainties of coverage in cyber-tinged areas. For example, how many insurance buyers would know if they have coverage, and under what policy, for (1) claims by their customers, or (2) their own business income losses and extra expenses, for outages caused by their own software or electrical glitches?
By contrast, where physical damage is involved, most insurance buyers would know with minimal effort if their losses were covered by insurance — and by which insurance. If, for example, a company suffers substantial business interruption and extra expense because of a fire on its premises, its risk managers would know about the extent of its insurance coverage. They would also know about the extent of coverage if a fire had damaged one of the company’s critical suppliers and prevented the company from carrying on its business. There may or may not be coverage, but such “contingent business interruption” coverage is a discrete and familiar item in property insurance.
In cyber-related insurance, however, coverage is changing so quickly, and the types of adverse events so manifold, that it is very difficult for insurance buyers to be confident about the extent of their coverage — and of the policy that would provide it. Consider the following scenarios: how many insurance buyers would know if they have coverage — and under which policy?
- You have a breach of privacy or network security
- You have a system outage caused by a software update or patch, and you lose income as a result
- You have a system outage caused by a software update or patch, and your customer claims it is damaged as a result
- You have a system outage that’s part of a larger outage, such as a power outage
- You suspect, on your own, that you have suffered a breach of privacy or network security and engage forensic specialists to investigate
- Your business is interrupted by physical damage caused or initiated by the hack of a connected device
- Your customer notifies you that it has been damaged because it cannot get access to your network
- Your supplier has a network security or privacy breach
- Your supplier has a system outage caused by a software update or patch
- Your supplier has a system outage that’s part of a larger outage, such as a power outage
- Your supplier’s business is interrupted by physical damage caused or initiated by the hack of a connected device
The relatively benign outages at the NYSE and United Airlines thus provide insurance buyers with a relatively benign opportunity to think about their actual and desired scope of insurance coverage for cyber-related events — and to consult with their insurance, legal, cybersecurity and other advisors to reduce their exposure to the many and deep losses that can result from technology’s combination of ubiquity and fragility.
About the Author
John Doernberg is a Vice President at WGA and the firm’s Cyber Practice Leader. He works with inside and outside counsel as a Claims Advocate for WGA clients on policy negotiation and the handling and settlement of claims. He also a resource on privacy, information security and risk management issues. Prior to becoming an insurance broker in 1995, he practiced corporate law in New York and Boston for 12 years.