Last Friday arrived with the crash of millions of Windows computers used by companies across the globe, including critical infrastructure sectors such as hospitals, banks, airlines, and government agencies. Despite quick retraction of the cause, cascading effects continued throughout the day and into the weekend, demonstrating the widespread impact and significant business interruption losses. The outage is expected to trigger more stringent cybersecurity regulations, changes in cybersecurity governance, and adjustments to cyber insurance policies.
Importance of Cybersecurity Governance
Business interruptions like those experienced last week draw immediate attention from the C-suite and board, and many companies will want to reevaluate their cybersecurity governance and learn from this incident to hone their response for future incidents, especially should malicious actors appear in the future. Effective cyber governance requires board and senior executive involvement in cyber risk management, ensuring systems are resilient and restorable, and establishing—and thoroughly testing—incident response plans that include all vendors. Companies looking to protect themselves against the next global meltdown should focus on areas that may have previously received less attention: evaluating vendor risk, reviewing contracts, and securing adequate cyber insurance coverage.
Evaluating Vendor Risk
A critical component of cyber governance is evaluating key vendor risk. Companies should assess their vendors’ cybersecurity practices to ensure adherence to industry standards and regulatory requirements. Regular audits, continuous monitoring, and transparent incident response protocols from vendors are crucial. Establishing clear communication channels and contingency plans with vendors mitigates risks associated with potential failures and integrates these evaluations into the overall cybersecurity strategy.
Terms and Conditions & Cyber Insurance
This is not the first and unlikely to be the last time a third party causes widespread business interruption. Companies need to review their contracts with IT and cybersecurity vendors to ensure proper cybersecurity diligence on the front end and liability protection on the back end.
Companies affected by business interruptions are unlikely to recover damages from software firms. The terms and conditions of these firms routinely limit damages to the fees paid. Large companies with leverage can sometimes negotiate different terms and conditions with key IT and cybersecurity vendors, but more often this will be only two or three times the fees paid, with no consequential or special damages.
In most cases, companies need to rely on cyber insurance to cover costs related to outages, including IT fixes, lost productivity, and legal expenses. While many cyber insurance policies cover third-party interruptions, incidents like software glitches might lead to significant litigation to determine coverage. For future policies, companies should ensure their cyber insurance covers contingent or dependent business interruptions, allowing them to recover damages from insurers against third-party service failures. This could prompt insurance carriers to review and potentially tighten their policies to manage exposure to third-party liability claims. Companies should carefully monitor the wording of insurance policies to ensure adequate coverage for third-party failures. Comprehensive cybersecurity governance is critical. As companies reassess their strategies, focusing on evaluating vendor risk, reviewing contracts, and securing robust cyber insurance coverage will be essential. These steps not only mitigate risks but also ensure business continuity in the face of potential future disruptions. Adapting to the evolving cybersecurity landscape is vital for protecting assets and maintaining operational integrity.