Despite expecting the July 19 global IT outage to cause widespread disruption across a variety of corporate and financial sectors, including an influx of cyber business interruption claims, Morningstar DBRS does not anticipate a lasting impact on its rated universe.
In a recent report, the firm’s analysts noted that the outage would lead to increased costs in many businesses. However, from a credit perspective, it anticipates the disruption to have a “limited impact” across its rated universe.
“We expect the incident to raise regulatory questions about the oligopolistic nature of critical IT infrastructure globally,” Morningstar DBRS added.
It is now well known that the outage was caused by a security update from CrowdStrike, a provider of security technology, which led to extensive issues with Microsoft’s Windows.
According to Morningstar DBRS, many airlines had to cancel flights outright or manage operations manually due to the outage. While the disruption is acute, Morningstar DBRS’ report noted that it is not expected to be a prolonged issue.
The firm’s report continued, “We expect the impact on the global airline industry to be manageable and not have a material impact on the credit profile of impacted airlines.
“Considering that a patch has been developed and is expected to be rolled out quickly, the duration of this event is likely to be short. Hence, we expect there will not be any impact on the credit profiles of the airports.”
Commenting on the potential business interruption (BI) claims, Morningstar DBRS observed that typical BI endorsements under a commercial property insurance policy exclude losses resulting from a cyber event, such as this global IT outage.
“Claims caused by the inability to operate certain IT systems would typically be covered under the business interruption endorsement of a cyber insurance policy, which is a more reduced subset of BI policies available in the market,” the report explained.
It went on, “Additionally, cyber BI policies usually include a deductible or waiting period of 24 to 48 hours. Depending on the duration of the ongoing global IT outage, this event could be covered or not under a cyber insurance policy. We expect that some airlines and financial institutions will be able to claim under their existing cyber insurance policies if this event extends over the next few days.”
Morningstar DBRS concluded, “This event illustrates once again that cyber risk has the potential to generate a chain of highly correlated losses because of the increasing connectivity of global communications and the widespread use of specific IT systems.
“Providers’ liability insurance policies can also be triggered in this case as their clients try to recoup part of the costs caused by system interruptions. We also anticipate a heightened volume of litigation in the coming months due to this event.
“Although there are no signs that the global IT outage had a malicious origin, a confirmed cyber attack would be treated very differently under existing cyber insurance policies, particularly if it can be attributed to state-sponsored agents. In that case, coverage would be severely reduced.”
