Y'all remember the now-infamous CrowdStrike outage a couple of weeks ago.

[RockmartDawg]

This article talks about the impact it has had on Delta Airlines, and that it is still having.

Would there not be some liability with CrowdStrike, or Microsoft... somebody... where all of these massive financial losses can be recouped? Or, is Delta not insured against something like this?

My thoughts are that Delta won't have to incur this financial loss... at least not fully... surely? They're talking about losses of as much as $500 million! They are a customer to Microsoft. I presume they are a customer to CrowdStrike, or maybe Microsoft is a customer to CrowdStrike (??). I know that in this world of IT there are Service Level Agreements (SLAs). If they aren't met, then there are penalties that have to be paid. Surely there is something in place whereby companies who were so dramatically impacted can/will be compensated?

[GriffWoody]

My guess is both are insured against business interruptions. If not, DAL has a great case against CS.

[E.CobbDawg]

Delta hired Boies Schiller Flexner, David Boies firm, to sue Microsoft and CrowdStrike…that’s pretty heavyweight. Prolly because Boies sued Microsoft for antitrust stuff in the past.

[dncdawg]

At the losses they are claiming, the reality is that if they do have insurance that covers this, then it is likely sublimited or excluded for events caused by a key service provider, or the policy limit itself is much lower than the impact they are estimating.

For Delta, they most certainly have cyber insurance, but they probably have a sizable retention, and the limit is probably $100M or less. That line of coverage has gotten cheaper in the last couple of years, but it is still really expensive.

[Concourse E]

I'm sure Crowdstrike is insured for this, but their limits are going to pale in comparison the costs. They probably have $20-25 million in coverage limit for E & O. I'm sure Delta has business interruption coverage as well, but most huge companies like Delta are going to self insure most of that risk - there just isn't that much capacity in the industry to cover $500 million losses by individual customers.

[JC-DAWG83]

I don't know a whole lot about cyber coverage, this dog is too old to learn all the things an agent needs to know to work in that market.  My thoughts on cyber insurance have always been that it is pretty much impossible to have enough coverage for a business of any size with a large number of customers.  I remember a while back when Home Depot had their system hacked and customer credit card data stolen.  VISA and MC claimed $30M in damages owed to them due to the cost of reissuing the credit cards that were affected.  That amount was on top of the direct loss Home Depot suffered.

This seems like a gray area as far as Delta's insurance responding.  There was no cyber attack or hacking event or denial of service type occurrence.  This was a third party/vendor failure to provide service and the failure to provide service wasn't caused by any sort of cyber attack or similar issue.  This was simply a product failure and the liability seems to all fall on Crowdstrike who probably doesn't have enough coverage to cover all the losses called by its product's failure by all of the businesses impacted.

[dncdawg]

I don't know a whole lot about cyber coverage, this dog is too old to learn all the things an agent needs to know to work in that market.  My thoughts on cyber insurance have always been that it is pretty much impossible to have enough coverage for a business of any size with a large number of customers.  I remember a while back when Home Depot had their system hacked and customer credit card data stolen.  VISA and MC claimed $30M in damages owed to them due to the cost of reissuing the credit cards that were affected.  That amount was on top of the direct loss Home Depot suffered.

This seems like a gray area as far as Delta's insurance responding.  There was no cyber attack or hacking event or denial of service type occurrence.  This was a third party/vendor failure to provide service and the failure to provide service wasn't caused by any sort of cyber attack or similar issue.  This was simply a product failure and the liability seems to all fall on Crowdstrike who probably doesn't have enough coverage to cover all the losses called by its product's failure by all of the businesses impacted.
[/quote]

You're exactly right.  As you know, there has to be a defined cause of loss, and I don't think an intern/recent hire hitting a button and pushing an update is likely to be covered by Delta's policy.  It more likely has to go to CrowdStrike's professional liability, but there's no way they had $500 million in coverage.  As expensive as the cyber is, the professional is probably 5 times worse, from a premium standpoint, so they probably only have $10-20 million max.  That's about to evaporate in defense costs.

[JC-DAWG83]

I don't know a whole lot about cyber coverage, this dog is too old to learn all the things an agent needs to know to work in that market.  My thoughts on cyber insurance have always been that it is pretty much impossible to have enough coverage for a business of any size with a large number of customers.  I remember a while back when Home Depot had their system hacked and customer credit card data stolen.  VISA and MC claimed $30M in damages owed to them due to the cost of reissuing the credit cards that were affected.  That amount was on top of the direct loss Home Depot suffered.

This seems like a gray area as far as Delta's insurance responding.  There was no cyber attack or hacking event or denial of service type occurrence.  This was a third party/vendor failure to provide service and the failure to provide service wasn't caused by any sort of cyber attack or similar issue.  This was simply a product failure and the liability seems to all fall on Crowdstrike who probably doesn't have enough coverage to cover all the losses called by its product's failure by all of the businesses impacted.
[/quote]

You're exactly right.  As you know, there has to be a defined cause of loss, and I don't think an intern/recent hire hitting a button and pushing an update is likely to be covered by Delta's policy.  It more likely has to go to CrowdStrike's professional liability, but there's no way they had $500 million in coverage.  As expensive as the cyber is, the professional is probably 5 times worse, from a premium standpoint, so they probably only have $10-20 million max.  That's about to evaporate in defense costs.
[/quote]

If Crowdstrike has $20M in coverage I'm thinking the carrier writes a check to Delta and whoever else gets in line and walks away.  I don't see them bothering with a legal battle they know they are going to lose.  It really doesn't matter who at Delta installed the update.  Delta was operating on the assumption that the update they were sent by Crowdstrike was ready to be installed and safe to install.  If Delta buys a new jet engine from GE and installs it in a plane and the engine fails and the plane crashes, it isn't Delta's mechanics fault.

Crowdstrike showed $3.7B cash on hand as of April.  That number is probably about to go down some.  Delta showed $4.2B cash on hand as of June 30 so it isn't like Delta is going to have to shut down or have layoffs due to the loss.

[RockmartDawg]

What is extra-interesting about this entire thing is that we're discussing Delta, who is said to already be facing some $500 million in losses from the incident. Delta is literally a drop in the bucket as to the overall impact of what occurred. The Social Security offices were closed. There were banks in South Africa who could not dispense cash at ATMs to customers, and probably could not/would not honor debit transactions at checkout points. There is no telling just how enormous was the impact of that one little bitty software update. I'm sure there had to be trillions of dollars (plural), globally, that were impacted, lost, etc.

[dncdawg]

I don't know a whole lot about cyber coverage, this dog is too old to learn all the things an agent needs to know to work in that market.  My thoughts on cyber insurance have always been that it is pretty much impossible to have enough coverage for a business of any size with a large number of customers.  I remember a while back when Home Depot had their system hacked and customer credit card data stolen.  VISA and MC claimed $30M in damages owed to them due to the cost of reissuing the credit cards that were affected.  That amount was on top of the direct loss Home Depot suffered.

This seems like a gray area as far as Delta's insurance responding.  There was no cyber attack or hacking event or denial of service type occurrence.  This was a third party/vendor failure to provide service and the failure to provide service wasn't caused by any sort of cyber attack or similar issue.  This was simply a product failure and the liability seems to all fall on Crowdstrike who probably doesn't have enough coverage to cover all the losses called by its product's failure by all of the businesses impacted.
[/quote]

You're exactly right.  As you know, there has to be a defined cause of loss, and I don't think an intern/recent hire hitting a button and pushing an update is likely to be covered by Delta's policy.  It more likely has to go to CrowdStrike's professional liability, but there's no way they had $500 million in coverage.  As expensive as the cyber is, the professional is probably 5 times worse, from a premium standpoint, so they probably only have $10-20 million max.  That's about to evaporate in defense costs.
[/quote]

If Crowdstrike has $20M in coverage I'm thinking the carrier writes a check to Delta and whoever else gets in line and walks away.  I don't see them bothering with a legal battle they know they are going to lose.  It really doesn't matter who at Delta installed the update.  Delta was operating on the assumption that the update they were sent by Crowdstrike was ready to be installed and safe to install.  If Delta buys a new jet engine from GE and installs it in a plane and the engine fails and the plane crashes, it isn't Delta's mechanics fault.

Crowdstrike showed $3.7B cash on hand as of April.  That number is probably about to go down some.  Delta showed $4.2B cash on hand as of June 30 so it isn't like Delta is going to have to shut down or have layoffs due to the loss.
[/quote]

I bet the insurer wishes it was that easy.  They're not going to write Delta a check without a release, and Delta's not going to sign a release if it releases Crowstrike too.  They're probably in for it whether they like it or not.  I think this could easily bankrupt Crowdstrike.

[ugafan49]

the only losers were the customers......