IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Legal, Financial and Insurance Implications of the CrowdStrike-Microsoft Incident

As Delta Air Lines, and many other public and private organizations, tally the business costs from the unprecedented incident caused by a CrowdStrike update, lawyers debate contract language.    

Digital illustration of a yellow lock in a circle surrounded by yellow lines and arrows.
Shutterstock/deepadesigns
As I was watching CNBC’s coverage of the Paris Olympics and related financial stories this past week, one segment caught my eye. Ed Bastian, the CEO of Delta Air Lines, was being interviewed by the "Squawk Box" team. He said the recent CrowdStrike/Microsoft outage cost Delta $500 million in five days — not to mention the ire of so many impacted customers.

“It was terrible. It was terrible,” said Bastian. “My apologies again to all of our customers.”

When asked if this incident will make Delta rethink how all of their global systems are interconnected, he responded, “Absolutely!”

He described how heavy Delta's investment is with both CrowdStrike and Microsoft, and bemoaned the reality that they are the top two competitors on cyber. “They don’t necessarily partner at the same level that we need them to. This is a call to the Big Tech industry to be responsible.”

You can see that entire interview here:
And in a related article from CNBC, we learned that the airline has hired David Boies to seek damages against the two companies. That article begins this way:

Delta Air Lines has hired prominent attorney David Boies to seek damages from CrowdStrike and Microsoft following an outage this month that caused millions of computers to crash, leading to thousands of flight cancellations.

“CrowdStrike shares fell as much as 5 percent in extended trading on Monday after CNBC’s Phil Lebeau reported on Delta’s hiring of Boies, chairman of Boies Schiller Flexner. Microsoft was little changed.

“On July 19, a software update from CrowdStrike led to a historic outage of Microsoft systems, knocking numerous industries offline. Airlines were particularly hard hit, and the Department of Transportation said last week that it’s investigating Delta, which suffered widespread flight disruptions and service failures.”

Meanwhile, a lawsuit by shareholders was filed this past week, according toReuters.

“CrowdStrike has been sued by shareholders who said the cybersecurity company defrauded them by concealing how its inadequate software testing could cause the July 19 global outage that crashed more than 8 million computers.

“In a proposed class action filed on Tuesday night in the Austin, Texas, federal court, shareholders said they learned that CrowdStrike's assurances about its technology were materially false and misleading when a flawed software update disrupted airlines, banks, hospitals and emergency lines around the world.

“They said CrowdStrike's share price fell 32 percent over the next 12 days, wiping out $25 billion of market value, as the outage's effects became known. …”

It is unknown at this time if governments and/or other companies plan to take legal action as a result of the global incident, but it seems likely.

Nevertheless, most enterprise software contracts have pretty well-defined terms and conditions and language around indemnity and service-level agreements that tend to make it clear they are not responsible for business/operating losses outside of their control. In some cases, losses are capped by the value of the contract or some multiple of the contract value.


According toMSSPAlert last week, “Analytics and insurance provider Parametrix calculated the financial impact of last week's outage at $5.4 billion in losses for Fortune 500 companies, excluding Microsoft Corp. (MSFT).

“The cybersecurity insurance policies of CrowdStrike's Fortune 500 customers will likely cover no more than 10 percent to 20 percent of those losses, Parametrix said in its report Wednesday. The estimated insured losses on cyber insurance policies ranges from $540 million to $1.08 billion."

According to Morningstar, "CrowdStrike is likely shielded from billions in customer losses caused by its outage."

“The outage is believed to have caused $5.4 billion in losses for big enterprises — but various factors help insulate the cybersecurity company.

“Despite having caused one of the largest global technology meltdowns ever, resulting in billions of dollars in losses for its customers, CrowdStrike Holdings Inc. itself should largely be shielded from direct financial impacts.

“That's due in part to the software industry's licensing structure, through which standard software licenses limit the liability of the software developer, and because of insurance held [by] both CrowdStrike (CRWD) and its customers.”

A COUNTER INDUSTRY TREND ON LIABILITY


Another fascinating trend to watch, according toPolitico, is an effort by many lawmakers to limit the liability of hospitals and other health-care organizations following a cyber attack.

“Tennessee in May became the fourth state to limit organizations’ liability in exchange for adopting cyber defenses, following Utah, Connecticut and Ohio.

"The spate of legislation pits large medical systems against trial lawyers and the affected patients they represent. It comes amid a scourge of cyber attacks that have threatened patient safety and cost the health-care system billions of dollars.

“As hacks have become more prevalent and bad actors have grown more sophisticated, many lawmakers have sought to protect health-care providers, arguing they can’t reasonably be held responsible for every manner of attack headed their way.

“'What happens is they get hacked, and then by law they have to report there is a breach, and then you have these class-action suits pop up,' said Florida state Rep. Mike Giallombardo, a Republican who helped pass a bill limiting liability and owns a cybersecurity firm. 'The victim is being sued for tens of millions of dollars for so-called negligence when the fact is they weren't negligent. Nobody's immune from this. …'”

WHERE NEXT FOR CYBER INSURANCE


CRC Groupoffered this perspective on cyber insurance impacts after the CrowdStrike and Microsoft outage effects:

“The CrowdStrike outage has sent shockwaves through the cybersecurity and insurance industries, highlighting the critical vulnerabilities even leading cybersecurity firms face as well as the significant impact of single points of failure. This unprecedented event disrupted services for thousands of businesses, revealing the potential for widespread operational paralysis. As the dust begins to settle, insurance professionals are left to assess the implications of such a significant failure. Some suggest the insurance coverages most affected include business interruption, contingent business interruption, and network restoration within cyber coverage. In addition, smaller lines such as event cancellation, travel insurance, and technology errors and omissions will also be impacted.4 There is also potential for Directors & Officers (D&O) insurance implications. …

“It’s anticipated that Microsoft and CrowdStrike clients will file claims for business interruption losses as a result of their outages. The application of coverage will be dependent on the waiting period within clients’ cyber policies as well as the coverage trigger negotiated within the wording (i.e., security failure vs. systems failure).

“Similarly, clients of firms that use Microsoft and CrowdStrike could also file claims for dependent business interruption losses as a result of their outages, and coverage will be dependent on the same criteria — the cyber policy waiting period and the coverage trigger negotiated within the wording (i.e., security failure vs. systems failure). …”

Last week in my blog covering some initial lessons learned from this incident, I highlighted what my friend Michael McLaughlin had to say on LinkedIn: “Does a global cyber outage qualify as a 'material cybersecurity incident'? This is the question hundreds of companies are grappling with this week. Under the SEC cyber rule, public companies are required to promptly disclose material cybersecurity incidents under Item 1.05 of Form 8-K. If the company is unsure whether the incident is material, the SEC released guidance that those incidents should be reported under Item 8.01. … But what is a 'material cybersecurity incident'? What does this mean for CrowdStrike's public customers impacted by this event? Other companies should consider a range of factors when assessing whether this incident materially impacted them, such as: -Reputational harm -Remediation costs -Legal risks -Lost revenues -Insurance. Importantly, these should also be placed in the context of a global cyber outage — e.g., what is the reputational damage to single company amongst thousands impacted?”

Another interesting view comes from Tim Wessels:

“This will be unique to each company. Yes, Microsoft authorized (WHQL) the use of the Falcon kernel mode driver, but Microsoft does not authorize the Falcon update file or pseudo-code that is likely delivered multiple times a day and run by the Falcon kernel mode driver. The Falcon kernel mode driver 'choked' on an update file filled with zeros and borked the Windows kernel, which caused the Windows kernel to 'blue screen' to save itself from any additional damage.

“Was CrowdStrike just lucky that this never happened before? It should have employed checks before running the update. One was when the update was ready to be pushed out from CrowdStrike, and the Falcon kernel mode driver should have performed a second check before running the update. This strikes me as negligent behavior by CrowdStrike to assume that its Falcon update file would always arrive in the correct format. I think CrowdStrike will likely find itself on the receiving end of a class-action lawsuit for negligence, resulting in huge customer damage.”

FINAL THOUGHTS


There remain many unanswered questions due to this incident surrounding liability, cyber insurance impacts, future changes to terms and conditions in contracts, and much more. No doubt, this will take years to resolve in the courts and C-suite conversations around the world.

Nevertheless, this incident also highlights many other areas that the cyber industry has discussed, but most organizations never fully addressed.

Put another way, this may be as close as we have ever been to a “Cyber 9/11” or a “Cyber Pearl Harbor” — if you factor in the global domino effects of this outage and overall impacts. These incident discussions are no longer just philosophical or scenarios for tabletop exercises. Those who have been saying (even seriously discussing) that “a global Internet or international systems outage” could happen are not just fearmongering or flat out wrong.

And make no mistake, there are many who have been saying this for years. I have heard the “it won’t happen to me” storyline from people all over the world as I gave presentations on true ransomware stories and leadership action plans.

Bottom line, we need to be better prepared. We must have more redundancy. Better understanding our third-party risk and the partners that we rely on is no longer low on the priority list. Improving contract wording needs attention now. All over the world, organizations are updating cyber insurance policy provisions, and refocusing on the next time a Cyber Mayday and the Day After comes — whatever the cause.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.