CrowdStrike/Microsoft outage: Priority steps for impacted businesses

Since the global IT outage on Friday 19 July 2024, CrowdStrike, a security technology provider, and Microsoft have each released tools and advice to facilitate recovery. The incident has been attributed to a software update from CrowdStrike that caused problems with some PCs, servers and IT equipment running Microsoft Windows, triggering substantial disruption across many businesses.

However, organisations continue to face significant challenges, not least as individual devices afflicted by the 'blue screen of death', indicating Windows has failed to load, will require manual attention to deploy the fix and roll back the problematic update which caused the issue. Given the outage has been reported to have affected around 8.5 million devices, it has caused significant business impacts on services in some sectors and will continue to cause disruption for the foreseeable future.

Some organisations will have suffered significant losses due to their own loss of business, and due to consequential claims they may face from their customers and other third parties.

For organisations impacted, it will be critically important to take immediate steps to ascertain potential losses and preserve your position, including in respect of third-party claims and where applicable with insurance carriers. This article looks at the immediate steps that ought to be taken by impacted businesses. Longer term, we expect to see broader learnings for entities and regulators around operational resilience and how these types of incidents should be dealt with.

Immediate steps

1. Quantify potential losses

It may not be possible at this early stage to fully quantify loss. However, a priority should be to get a sense of the loss in financial terms. Was your business itself impacted? Were third parties impacted which had a knock-on effect on your organisation? How long did impacts last and what financial loss has or is likely to arise as a result? What costs have you incurred, and do you expect to incur, in remediating? What about potential third party claims against you (see below)? This may need to be an ongoing assessment as new information becomes available but will be key to determining what steps must be taken to protect your organisation's position.

2. Consider any regulatory impacts that might arise

This will be sector specific, but in many jurisdictions, financial service regulators, critical national infrastructure regulators (such as energy or telecoms) and data privacy regulators can all require notification where there has been a significant impact on services.  Whereas many organisations were affected by the outage, and it can be traced back to the update from CrowdStrike, the recovery time (ie, how quickly organisations were able to get their systems back up and running) and resilience (eg, whether other mechanisms were available to provide essential services to customers) – can be differentiators as far as regulators are concerned.

3. Respond to impacted customers and third parties

If you are aware of direct impacts on your customers or other third parties arising from your own organisation's impact (for example, your inability to perform your contracts) it is important to assess this and take steps to mitigate. This may involve triggering contractual clauses such as force majeure, where available, or otherwise seeking to mitigate ongoing performance failures. Any customer-facing communications also need to be carefully managed, guided by legal advice to protect the legal position.

4. Assess prospects of claims

Where losses have arisen or are expected, consider putting third parties on notice of potential claims your organisation may have, either in respect of its own business losses, or to cover third party claims it may face. There may not yet be enough information to put together full letters of claim, but in some circumstances placing suppliers on notice of potential claims both reserves the position and may prompt a wider negotiation discussion. If you are in receipt of such claims (particularly where they are numerous), keeping ahead of the relationship will be important to buy yourself time to consider and respond. Whether you are anticipating, originating or receiving claims, it is also important to get ahead by understanding your legal and contractual position at an early stage, which can feed into the wider response strategy.

Such claims may be against CrowdStrike or other IT suppliers/vendors which implemented CrowdStrike as part of a wider outsourced solution or may be brought by customers against third parties whose service delivery has fallen below contractual requirements due to the outage. Claims may arise in contract or in tort (eg, negligent performance of services). Considerations will include:

• On what basis could a claim be brought? This includes causes of action such as service warranties, performance warranties, minimum standards/SLAs, tortious claims and potential statutory claims (such as misleading or deceptive conduct). If it is necessarily contractually to establish "fault" (as opposed to having service levels that are in effect strict liability) this will be complicated by the fact that the update that caused the outage was deployed directly by CrowdStrike.
• What could be recoverable? Limitation and exclusion clauses are especially important. Vendors, in particular, may seek to limit liability to a multiple of fees paid over a specified period (eg, 12 months), to exclude forms of damage such as loss of business, loss of profit, harm to reputation etc, or to rely on sole remedy clauses. If such restrictions apply, consider whether any arguments could be used to challenge the efficacy of such exclusions (eg, whether negligence or statutory causes of action could fall outside their scope or whether there are exclusions to the limitation clauses that could apply).
• Has loss been adequately mitigated? What mitigations were taken which may limit the loss (and which may be expected to have been taken when seeking to recover losses from third parties)?
• Do termination rights arise? Depending on the extent of the impact and contractual termination clauses, it may be possible to exit relevant contracts and seek damages. Note that, in some jurisdictions, there can be a window of opportunity to terminate contracts which can be lost through conduct that affirms the contract. Wrongful termination also can give rise to liability in the opposite direction. It will be very important to take legal advice promptly should these issues arise.
• Where and how could claims be brought? The jurisdiction and governing law clauses will determine where a claim would need to be brought and the law that applies. The dispute resolution clauses will determine steps that must be taken before issuing a claim with a view to seeking to resolve disputes (common in larger IT contracts). Engaging such procedures could be tactically advantageous as a means of exerting pressure without having to immediately take the step of contentious proceedings. Contracts may also specify mandatory ADR, such as expert determination, mediation or arbitration, to resolve claims.

5. Be especially vigilant in respect of cyber risks during this period

The CrowdStrike Falcon software is a so-called endpoint detection and response (EDR) solution, that provides cyber security monitoring and protection on the computers on which it is installed. Given that the fix is now available (and CrowdStrike has rolled back the problematic update), it should not be necessary to deactivate it, and doing so might expose your organisation to increased cyber risk. This is particularly so given that we are seeing reports of phishing and other fraud attempts being deployed by bad actors, which leverage the outage. Examples could include impersonating CrowdStrike support staff, releasing "tools" that purport to fix the issues but are in fact malicious, or by impersonating impacted organisations such as airlines to target their customers suffering cancelled flights. Organisations should seek to identify key areas of risk and take steps to mitigate that risk, including enhanced monitoring and vigilance and internal and external advisory notices where appropriate.

6. Insurance

Insurance may play a role in mitigating losses resulting from the incident and assessment of potentially responsive policies should feature in any incident response plan. Insofar as cover is available, it may be lost if prompt notifications are not made, so early analysis is recommended. In addition, some insurance policies state that legal and other advisers instructed to deal with the underlying incident (and whose costs the insured would seek to be covered under the policy) must be selected from the insurer’s panel of advisers. In most jurisdictions (including the UK and Australia), this is not mandatory – you may work with your own preferred (legal) adviser. On many policy forms, including typically in the London market, the insurer’s prior consent to an instruction must be sought if an insured wishes to use its preferred adviser. In that event, consent should be sought promptly.

The starting point to assess what insurance policies may respond is to assess the potential losses resulting from the incident (see point 1 above). Broadly these could encompass:

• Revenue losses and increased costs of working (referred to as 'business interruption losses'). These will be the immediate losses of concern to policyholders.
• Losses resulting from liability to third parties as a result of service failures to customers, for example, and the related costs of defending such claims (third party losses). It will likely take some time for these types of losses to materialise as disputes, including within supply chains, emerge.
• Regulatory exposure to costs or fines: where, for example, personal data is rendered inaccessible by an outage, that can be notifiable to data privacy regulators or operational resilience issues may conceivably give rise to regulatory exposures for businesses which suffer extended downtime or recover slowly.
• Losses due to fraud/scans/phishing occurring in the wake of the incident.

Next, policyholders should check whether they have cover for these losses. Potentially responsive policies for these types of loss are:

• Business interruption (BI) losses: Insureds might find BI cover under standalone cyber policies, or property damage and business interruption policies. Traditional, damage-based, BI cover is unlikely to respond in these circumstances where there has not been physical damage. However, cyber insurance cover often contains "non-damage" BI cover (ie, cover that does not require physical damage to the insured's property). While it typically covers BI losses resulting from security breaches/malicious acts (which on present information is not relevant here given CrowdStrike's public explanations), it may also provide cover for BI losses caused by more benign system outages, for example, cover for “total or partial interruption, degradation in service or failure of the Computer System”. Insureds should check their cyber policy wordings to ascertain whether it is potentially responsive to BI losses caused by system outages.
• In addition to BI, if any regulatory notifications (eg, to data privacy regulators) are required, coverage may apply under cyber (or other liability) insurance for costs and insurable fines.
• Medium term, the biggest exposures for organisations, depending upon how they have been impacted by the outage, may result from third party claims, and crime. Potentially responsive policies are cyber, professional indemnity (PI), technology errors & omissions (Tech E&O) and crime policies. 
• To the extent organisations have outsourced this to an external supplier, that supplier may have liability to its customers. Claims against suppliers of IT services may, depending on the nature of the liability, contract terms and policy terms, be backed by the suppliers' own Tech E&O policies – these cover liability for errors and omissions by IT service providers.
• Claims by customers/clients against other service providers (for example, banks that cannot provide banking services to customers) may be backed by the service provider's PI insurance.
• Losses due to fraud/scams/phishing occurring in the wake of the incident may be covered under cyber insurance for malicious acts (eg, if there were to be a future cyber security breach) or crime/PI insurance (if individuals are defrauded – eg, liabilities to reimburse customers for monies taken from their bank accounts).

The key takeaway for policyholders impacted by the incident is to assess losses (and potential losses) and review potentially responsive wordings – and primarily cyber coverage in the first instance. If there is potentially responsive insurance, notifications should be made to insurers promptly.

7. The longer term

For many organisations, this will have been the first time their incident response processes and procedures will have been tested in the context of a significant, worldwide, IT-related outage. If your organisation was affected, you should consider what could have been done differently to have reduced the impact and revise incident response, business interruption and disaster recovery plans accordingly. It is likely, going forward, that the regulatory landscape will change. This incident is effectively a patch management issue: patch too slowly and organisations are at risk of cyber threats; patch too quickly (or – as here – rely on instantaneous updates from anti-virus vendors) and organisations are entirely reliant on those third parties for testing. Best practice is therefore likely to change, perhaps with staggered roll-out of updates to ensure that, if there are issues, they are picked up before rolling out worldwide, mandatory testing of all types of updates (including virus definitions) by suppliers and/or customers and other measures.

Click here for more on our cyber security response resources and see our Cyber and Data Security Notes blog for ongoing analysis.