Introduction
On Friday evening a routine update to CrowdStrike's security software caused widespread outages to operating systems globally, halting the operations of numerous airlines, banks, hospitals, supermarkets, emergency services, media outlets, critical infrastructure providers and businesses the world over.
CrowdStrike, a Texas-headquartered company with over 29,000 customers in 170 countries (including over 50% of Fortune 500 companies and many government entities), has a market valuation of near USD $100 billion and is reported to control about 18% of the multi-billion dollar global market for modern endpoint detection security software.
In response to CrowdStrike's faulty update, reported to have affected 8.5 million devices globally, CrowdStrike’s stock price fell 11% and investigations into possible CrowdStrike federal securities laws violations on behalf of investors have already been announced.
Friday's events, widely reported to be the single largest outage in history, highlight the interconnectedness of global IT systems and the cascading impact a simple routine software update can have.
What went wrong?
Effective security software requires regular (often daily) updates to keep pace with ever-evolving security threats. However, updates to software which have the ability to cause widespread disruption would ordinarily be tested thoroughly in ring-fenced and simulated test environments prior to deployment so that issues such as Friday's "Blue Screen of Death" can be identified and resolved prior to roll-out to live customer environments.
Whilst uncommon for more minor updates (which CrowdStrike may have considered Friday's update to be), the impact of CrowdStrike's update would also have been mitigated to a large extent if deployment had been staged, such that it was only rolled out to a small number of customers first, and then to a bigger group later. This would have allowed any issues to be identified, the update rolled-back and any fault resolved before it could cause widespread damage.
Questions may also be raised as to whether the large multi-national organisations most severely impacted by the outage had sufficiently robust contingency and continuity plans in place, and whether they were sufficiently prepared to implement them in response to an outage of this nature and scale.
What recourse is available?
Many organisations who were directly affected on Friday will likely have spent the weekend reviewing the terms and conditions on which they have procured the affected product. What recourse will be available will depend on the details of the cause of the outage and what more could have been done to avoid it occurring. The majority of customers will have contracted on supplier standard terms which typically provide minimal potential recourse for losses incurred as a result of outages of this nature. However, larger-scale organisations may have more contractual rights.
For those who have been impacted via their supply chain (ie as a result of key suppliers who use the affected software), those agreements may be on more balanced and negotiated commercial terms, but the availability of recourse is again likely to depend on precisely what has occurred and why. Given the nature and scale of the issues, class actions would seem to be a real possibility as losses from the event crystallise. To the extent that contractual redress is limited, the viability of other claims (such as in negligence) may also be considered. Further, if any lack of readiness on the part of affected organisations exacerbated the scale or duration of the impact that the outage had on them, shareholder claims against those organisations, or their directors, are also a possibility.
In the meantime, insurance might provide some recourse to affected organisations but not all organisations will hold cover for events of this nature. Even those organisations with cyber insurance may find that cover is unavailable for loss caused by programming errors or, in any case, that limits are insufficient to cover the business interruption losses caused by Friday's events.
Next steps?
In response to the outage, many commentators have suggested that if the economic and legal penalties for the disruption seen over the weekend remain minimal, companies will remain unmotivated to make fundamental changes.
No doubt regulators and legislators the world over will be alive to the weekend's events and considering options. Regulatory investigations will no doubt follow in some jurisdictions.
It remains to be seen whether the outage will cause legislators and regulators to consider whether additional legislation and/or regulation is required to mitigate against future widespread global crises of the nature seen over the weekend.
In the United Kingdom, the new Cyber Security and Resilience Bill announced last week in the King's speech seeks to enforce more controls and improve infrastructure resilience in the UK, with a view to avoiding issues of the nature and scale of the CrowdStrike crisis. We will watch with interest to see how the New Zealand Government and regulators in affected sectors here in Aotearoa respond.
We expect that for many organisations the CrowdStrike update will refocus Board and C-Suite attentions on cyber governance and incident response preparedness and planning, including to ensure that not only their own systems, but also their supply chain, are covered.
The Russell McVeagh team will be continually monitoring developments and will provide further updates as events continue to unfold. In the meantime, if you would like any advice regarding how Friday's events might have affected your organisation or industry and what actions you can be taking in response, please do not hesitate to contact us.