Crowdstrike: The aftermath for SaaS providers and their clients following the biggest cyber event in history
The recent CrowdStrike IT outage, on 19 July 2024 affected 8.5 million Windows users globally, making it the biggest cyber event in history. The incident serves as a timely reminder that IT or Software as a Service (SaaS) providers must be prepared in the event that their services become nonfunctional and cause serious business interruption and potential financial losses to customers.
While Microsoft confirmed the extent of the disruption to Windows devices caused by the CrowdStrike update, unlike a cyber security incident or malicious activity, it was swiftly resolved. The reputational damage caused by the incident is not rectified as quickly – CrowdStrike’s shares have lost more than 30 per cent of their value since the incident occurred.
What caused the problem?
CrowdStrike – a U.S. based cybersecurity company – provides security software to businesses and organisations around the world. Its cloud-based ‘Falcon’ software which sits atop Microsoft’s Windows operating system, provides a form of endpoint detection and protection from malware as well as incident response and other features. Upon releasing a routine sensor configuration for Windows systems a ‘logic error’ occurred due to a coding oversight, causing systems to crash for up to a few hours whilst CrowdStrike hurriedly worked on an update. This caused major global disruptions in banking, airports, healthcare centers, television stations and the wider community. It has now been estimated that the crash caused over $5 billion in financial losses for Fortune 500 companies.
The Australian Cyber Security Centre’s website informs as follows:
CrowdStrike is actively working with customers impacted by the outage and has issued a statement on their blog. Affected customers should review and inact the remediation advice available on the CrowdStrike blog which will be updated as the situation evolves.
What now for CrowdStrike?
It is expected that affected businesses (and their respective insurers) will seek to recover financial losses, suffered as a result of the incident, from CrowdStrike. In determining liability CrowdStrike’s terms and conditions will be scrutinised and tested.
To date, a securities class action has been formally filed in Texas against the company, the CEO and CFO on behalf of investors who purchased the company’s shares between November 29, 2023, and July 29, 2024. The claim alleges that during the period, CrowdStrike “repeatedly touted the efficacy of the Falcon platform while assuring investors that CrowdStrike’s technology was ‘validated, tested, and certified” and that these statements were false and misleading.
Separately, Delta Air Lines has publicly threatened compensation for financial losses suffered due to flight cancellations caused by the incident. CrowdStrike apologised for the incident but refuted the claim alleging Delta’s decisions and operations hampered the restoration effort.
CrowdStrike’s standard terms and conditions (available on their website) indicate that it will provide its services in a professional manner consistent with generally accepted industry standards. CrowdStrike’s liability is limited, at its discretion, to using efforts to re-perform incorrect services or refund fees paid for incorrect services. Its terms also provide that it will not be liable for any lost profits, lost business opportunities, lost data and other similar losses, even where they are reasonably foreseeable.
It is to be expected that the effect of these terms will be tested during the various legal actions CrowdStrike is likely to face.
CrowdStrike’s professional indemnity policy is likely to be relied upon to cover legal costs and any damages associated with defending claims arising from the Falcon software update.
Insights for users and clients of SaaS and IT Providers
Cyber liability insurance policies are likely to be the most relevant insurance policy that may cover financial losses resulting from system failure or downtime.
Most cyber policies provide business interruption coverage for loss of profits arising from a cyber incident which typically includes an outage or system failure caused by a third party service provider.
If your systems were not directly affected by the outage, but those of your suppliers were, it is possible that business interruption cover extends to cover losses caused by events suffered by suppliers.
Cyber coverage will be contingent upon policy terms and conditions, and particularly the definition of key terms such as:
- 'cyber incident’ or ‘cyber event’
- ‘system outage’, ‘system failure’
- Whether the policy covers ‘business interruption’
- Whether the policy extends to cover business interruption losses caused by a third party network or service provider.
Some policies may not cover losses caused by a non-malicious or non-criminal cyber event or an incident caused by a third party service provider or defects/failures in third party computer software.
Careful review of your cyber policy will be required to consider policy response.
There are reports that hackers have now been exploiting the incident by posing as CrowdStrike personnel in fake emails and messages to deceive businesses into providing confidential information, which they can then use for ransom purposes or to make fraudulent monetary transfers.
We recommend promoting awareness of such scams within your organisation, and to observe cyber-aware protocols, such as authenticating suspicious communication before clicking on any links or documents.
Key takeaways for SaaS and IT Providers
These developments serve as a reminder for SaaS and IT service providers to:
- Review their terms and conditions, terms of use and contractual obligations with clients and users.
- Assess the adequacy of insurance coverage to protect their business from third-party claims following a similar error or service failure.
- Review governance procedures and systems at board level to ensure compliance with statutory obligations and to ensure any impact on a critical user or service provider is managed and response systems are robust.
For organisations that are subject to the Security of Critical Infrastructure Act (SOCI Act) obligations, this event should serve as a reminder to conduct a comprehensive assessment of compliance with those statutory obligations noting the serious legal and financial consequences of non-compliance and the risk exposed to critical infrastructure by cyber breaches.
Cyber insurers will be monitoring the outcomes of the resultant multi-jurisdictional litigation likely to ensue which may result in updates to cyber liability insurance policies.
For further information and advice regarding cyber security and cyber lability insurance, please contact our Advisors who can arrange a comprehensive cyber risk assessment.