CrowdStrike strikeout: solutions for business
19 July 2024, a date for the ages, when millions of computers worldwide were disrupted by the infamous ‘blue screen of death’ following a faulty software update from CrowdStrike.
This event, marked as one of the most significant IT outages in history, impacted numerous industries globally. Parametrix Insurance, a Cloud outage insurance company, estimated that the financial losses for US-based Fortune 500 companies (excluding Microsoft), could reach $5.4 billion, with a weighted average loss of $44 million per company. Given the global scope of the incident, whilst it may not be possible to quantify the full extent of losses suffered, they are likely to be substantial.
Whilst the immediate outage has largely been resolved, the aftermath of the CrowdStrike calamity still looms, raising questions about potential claims and the broader ramifications for affected businesses. This article explores the disruption caused and the possible claims that businesses may pursue in the coming months.
Claims under supply contracts
The fallout from the outage has been felt across a myriad of industries, but those with supply or distribution agreements may be most acutely affected. The IT outage likely hampered suppliers’ ability to meet contract deliverables on time, caused delays in manufacturing and distribution systems, and complicated customer orders and payments.
Businesses should assess whether they incurred losses due to the outage. Reviewing contracts for potential breaches and determining eligibility for damages claims is crucial. Conversely, businesses must also consider potential liability to customers or third parties if they failed to meet obligations, and whether any indemnification provisions are in place under their contracts.
A key contractual provision to scrutinise is the force majeure clause, which can excuse a party from liability if an unforeseeable event prevents them from fulfilling their contractual obligations, though invoking this clause does not void the contract. Generally, force majeure clauses are negotiated to cover an explicit list of events. Businesses should therefore check if such a clause exists in their contracts and, if so whether it would cover the CrowdStrike incident.
If no force majeure clause is present, businesses might argue that the contract has been frustrated. Frustration occurs in limited circumstances where an unforeseen event renders the contract's performance impossible, automatically terminating it and discharging future obligations.
Insurance claims
We similarly anticipate an increase in insurance-related claims, especially from entities with cyber-security or business interruption insurance in place. To initiate a claim, a thorough review of the insurance policy is necessary to identify any limitations or exclusions that might affect the ability to claim under the policy. Some policies require prompt notification of losses and potential claims, have strict limits on recoverable losses, and specify the circumstances under which a claim can be made. Notably, some cyber-security policies exclude coverage for ‘system failure’ or ‘non-malicious events’, focusing instead on malicious attacks.
Technology and outsourcing claims
Direct claims against CrowdStrike in the UK may be challenging unless businesses have a direct contractual relationship with it. However, businesses should examine their contracts with other IT or technology providers who might have provided service guarantees or warranties, regarding e.g., the stability of IT services or the efficacy of software updates.
Regulatory exposure
Entities in regulated industries should assess whether the IT outage caused any breaches or delays in their reporting or other obligations to regulators. Some regulators have acknowledged the impact of the CrowdStrike incident. For example, the OFSI has stated it would “take into account” the incident when assessing delayed sanctions reporting. Nevertheless, regulated entities should evaluate their potential exposure to fines or other penalties if deadlines were missed.
Key points to consider
If your business was impacted by the CrowdStrike outage, consider the following:
- Quantifiable financial loss: did your business suffer a quantifiable financial loss directly from the CrowdStrike incident? Under English law, merely being a victim of the outage is insufficient for a claim; losses must be quantifiable
- Contractual obligations: was your business, or your suppliers, unable to meet contractual deliverables? Evaluate potential liabilities or recourse under existing contracts
- Risk of claims: assess the risk of claims from customers or third parties. Ensure your contracts have adequate protections to limit potential liability and indemnify for any losses
- Insurance coverage: does your business have cyber-security or business continuity insurance? Review policies for limitations and ensure prompt notification of potential claims
- Regulatory obligations: determine if your business has reporting obligations to regulators and whether these were delayed or missed. Check for any grace periods provided by regulators due to the CrowdStrike incident and assess potential exposure to fines or other penalties
CYK is a disputes firm in the City of London, offering advice to clients in all sectors, including technology, IT, outsourcing, banking, finance, and regulation.