Staying ahead of technology business interruptions | Lockton

The recent Microsoft 365 outage affecting Outlook and Teams users is another example of how software disruptions can impact business operations. As companies become more technology-dependent, they should look to better understand their IT exposures, implement processes and technical controls to mitigate that risk where possible, build insurance portfolios tuned to their unique risks, and advance their incident response capabilities to minimize downtime and allow for continuity of operations.

Outages becoming more commonplace

Initial reports of the Microsoft 365 outage began early morning Eastern Time on Monday, November 25. By midday, more than 5,000 users were reporting issues (opens a new window), according to Downdetector.

On social media, Microsoft cited a recent system change (opens a new window) as the cause of the outage. By Tuesday, November 26, Microsoft reported that issues with Outlook and Teams had been resolved (opens a new window).

This event, like past business interruptions, is not something businesses should expect to face daily. IT outages, however, are occurring more often and are expected to occur more frequently as businesses increasingly rely on technology to perform basic functions.

While some IT outages in 2024 have garnered significant attention, most business interruption events are smaller in size and scope. Many events go unreported by news media and are unnoticed by the masses. Even so, these smaller disruptions, however, can often lead to downtime and significant expenses.

Mitigating potential impacts

It is not possible to prevent all IT outages. You can, however, take steps to mitigate or reduce their impacts on your organization.

To prepare for outages, organizations must first understand — and, ideally, quantify — their unique cyber risks. Consider the technologies and external dependencies that your organization relies on to perform critical functions. Understand how interruptions could occur, what alternative or redundant capabilities are available, and, ultimately, how you would operate without these technologies and dependencies.

Your key vendors should be completing similar exercises. Have these vendors catalogued their own critical service providers? Are they ready for potential outages in their own technology supply chain? Consider including requirements for supply chain management, cybersecurity, and IT service levels in contracts with your key vendors.

Having an enterprise incident response program and plan is a must. At a minimum your plan should:

• Establish the process for identifying, analyzing, and responding to disruptive events.

• Be supported by executive leadership, adequate staff and resources, and knowledgeable employees.

• Be regularly maintained and disseminated to appropriate personnel, and tested at least annually.

Building effective insurance programs

A cyber insurance policy that includes coverage for business interruption and contingent business interruption may respond to an outage, although this depends on specific policy language and the facts surrounding an individual loss. It’s important for businesses to understand that coverage can vary, often significantly, by insurer. That’s why it’s vital to work with your insurance broker to review and optimize your policy language and program structure — including limits, exclusions, and sublimits — depending on the nature of your organization’s specific risks.

Insurers are growing concerned about systemic risks tied to cyberattacks and large-scale outages. In response to the rise in business interruption claims — insurers have tightened exclusions in policies and are requiring most buyers to catalog their cybersecurity controls before purchasing coverage.

Cyber insurance coverage nevertheless remains readily available and affordable for most buyers. So, work with your insurance broker to secure the coverage you need before you realize a significant and costly loss.

For more information, contact a member of Lockton’s Cyber & Technology Practice.