The “largest IT outage in history”? Legal implications of the CrowdStrike incident

IT admins around the world woke up today to discover that their Windows machines were crashing with a “blue screen of death” and stuck in a boot loop. This has resulted in an ongoing incident described by prominent cyber security expert Troy Hunt as the “largest IT outage in history”.

The culprit? A bug in a regular update to CrowdStrike’s Falcon sensor, a tool used by IT teams to monitor activity on a device and help detect and defend against cyberattacks.

The “largest IT outage in history”?

The incident impacts businesses using Windows machines (i.e. almost every business) which are running CrowdStrike (which is a very popular security tool), effectively disabling the affected devices. Because of this, the impact has been huge and spread across every industry. Amongst many other reports of disruption, so far we have heard that:

• Multiple airlines across the world have been grounded and airports are experiencing severe problems.
• Hospitals and health services have had to cancel appointments and operations.
• Several UK railway operators are experiencing disruption as a result of IT issues.
• Sky News was unable to broadcast live for a time.
• The London Stock Exchange is reporting issues with one of its information services and financial regulators are investigating whether other financial institutions are affected.

Full details are still emerging about the incident, its effects and how best to fix it. In the meantime, we have considered the legal issues presented by this kind of incident.

1) Software updates create risk as well as mitigating it

The irony of the situation is that the organisations worst impacted are likely to be those who are doing all the right things in terms of cybersecurity, including using CrowdStrike Falcon and automatically updating it. The update that has caused the outage was intended to help keep devices secure against attacks and malware. While updating all software is clearly best practice from an infosec perspective, it is easy to forget that any software update is a change to an organisation’s IT environment and therefore comes with a level of risk that has to be managed. 

Security updates are likely to become even more common in the coming years, in part because of various legislative efforts encouraging or requiring hardware manufacturers and software developers to provide them (such as the EU Cyber Resilience Act and the UK Product Security and Telecommunications Infrastructure regime). Businesses need to ensure that their IT change management processes are robust and efficient enough to capture and process these changes in a safe and timely manner.

Where updates are being provided or applied by third parties, customers should consider whether it is appropriate to include contractual obligations on the supplier to test updates and not to deploy them into production environments without approval. For enterprise software like CrowdStrike that will clearly not be commercially viable, but for bespoke or managed services it is likely to be worth considering.

2) Understand your IT concentration risk

The scale of the impact of this incident results from the fact that so many businesses use Windows and CrowdStrike on so many of their devices. This centralisation creates a risk both for the individual business and for the wider economy. We also see this whenever a major cloud provider has an incident in one of its services and multiple businesses suffer outages as a result. Businesses should understand and manage their IT concentration risk.

This is a key focus area of the EU Digital Operational Resilience Act (“DORA”), that will apply to financial entities from January 2025. DORA will require financial services firms to assess their own internal IT concentration risk before entering into IT contracts. In particular, DORA focusses on the need for firms to have an understanding of how subcontracting affects concentration risk: a business may have two suppliers providing a similar service, but if they both rely on the same cloud provider then there may be a hidden single point of failure.

DORA will also allow the European Supervisory Authorities (“ESAs”) to designate certain IT service providers as “critical ICT third-party service providers” and establishes an oversight regime for them. A number of factors are to be taken into consideration, including the impact that an outage in the provider’s systems would have on the financial system given the number of financial entities relying on them. The legislation makes clear that it is targeted primarily at the major cloud vendors, but the CrowdStrike incident demonstrates that concentration on a small number of software vendors at the on premises and endpoint level can be just as risky as concentration on the cloud hyperscalers.

3) No substitute for BCDR planning

This outage is proof that even for businesses that do everything right, incidents can and will occur. Business continuity and disaster recovery (“BCDR”) planning is therefore essential for all critical services. One of the most interesting workarounds to come out of the CrowdStrike incident is that one airline appears to be issuing hand-written boarding passes for flights! 

Normally BCDR isn’t so exciting, but all outsourcing contracts still need to address it comprehensively. Customers should ensure that their suppliers are required to produce a BCDR plan which addresses a wide range of likely and not-so-likely scenarios. And, most importantly, the BCDR plan should be updated over the lifetime of the contract and tested regularly to ensure that it works. Disruption costs time and money, so a small upfront investment in BCDR negotiation and planning may well pay dividends in the long run.

4) Liability clauses – consider all the scenarios

This incident is a good reminder to look carefully at the exclusions and limitations of liability in technology contracts. We expect that lots of lawyers will be examining their CrowdStrike agreements today!

Customers should be aware that – unless they negotiate terms – the vendor’s standard form contract is likely to place strict limits on the available remedies in this kind of scenario. It might be unreasonable for an airline to ask CrowdStrike to reimburse it for any compensation it has to pay to delayed passengers. However, it might be more reasonable to want to recover the cost of calling out IT support technicians to resolve the issue. Even if customers do negotiate a favourable liability position, this is only helpful if there is a breach of contract to point to. Customers should therefore always try to ensure that the warranties and other commitments being offered match up with their expectations of the vendor.

For software and services vendors, the same applies in reverse. This incident highlights how exclusions of liability and financial caps in a contract are equally important and do different jobs. If a vendor provides a one-to-many service such that a single mistake could affect a significant proportion of its customers, then even with relatively low financial caps, the potential liabilities under each contract could quickly add up to a crushing figure in excess of its insurance limits. Liability exclusions help stop things from reaching this stage.

5) Understand your cyber and business interruption insurance

Businesses should understand whether they have cyber and business interruption insurance in place, and if so what it covers and what the policy limits are. For software vendors and service providers: are you covered for cyber liability to your customers if you are negligent or in breach of contract (though we are not suggesting that CrowdStrike has been here)? For customers: are you covered for loss of business income following a cyber incident, and would the coverage extend to a non-malicious incident of this nature?

The Financial Times reported this morning that some publicly-traded specialty insurers had suffered a minor drop in their share price, presumably in anticipation of claims being made. However, that movement already seems to have reversed, perhaps reflecting the facts that workarounds and fixes have already been made available and that covered losses would be limited and difficult to quantify.