Lessons from the CrowdStrike outage: Japan's approach to cyber security in contract arrangements and supply chains, and the implications of cyber incidents for commercial agreements

In July 2024, an update of the CrowdStrike Falcon platform provided by American company CrowdStrike caused global Windows system errors, 'crippling' key infrastructure and disrupting businesses ("CrowdStrike Outage"). In Japan, many companies including airlines and theme parks were particularly affected. Of note, however, is that the technical issues involved  did not arise from network/system infiltration by malicious actors but were instead due to a bug in CrowdStrike's own software. Whilst only around 1 percent (8.5 million devices) of Microsoft devices worldwide were estimated to have been affected, this incident has been described as among the costliest IT outages in history with projections of lost revenue at over US$ 1 billion.

The CrowdStrike Outage underscores the significant financial and business impacts that can arise from cyber vulnerabilities within IT ecosystems and supply chains. Both in Japan and abroad, questions remain about the impact on business agreements between companies directly affected by the CrowdStrike Outage and relevant contracting parties, including sub-contractors, and whether legal processes will be pursued. Against this backdrop, this article explores approaches to cybersecurity in contracting arrangements and supply chains, as well as the legal issues that companies operating in Japan should consider in their contractual dealings with partners and sub-contractors.

Japan's approach to cybersecurity in contracting arrangements and supply-chains

In 2022, approximately, 43 per cent of Japanese companies reported being affected by at least one cyber incident. Despite this, only around 50 per cent of Japanese companies (as compared to approximately 80 per cent of American and Australian companies) reported understanding the cybersecurity measures adopted by their contracting parties and other parties in their supply chains, while around 90 percent consider they have insufficient cybersecurity staff resources. Additionally, approximately 51 percent of Japanese companies do not discuss cybersecurity strategies at management level meetings, choosing instead to delegate such matters to their IT departments.

Against this backdrop, the Japanese government has implemented various laws and guidelines relating to cybersecurity in the corporate sector. For example, the Cybersecurity Management Guidelines outline 10 important items of cybersecurity management, including directions to recognize cybersecurity risks, developing cybersecurity measures, and establishing an incident response team. However, it remains important for companies operating in Japan to examine the legal risks and protections in their contractual dealings to limit the impact of cyber incidents on their business arrangements. We summarise below a number of considerations that companies in Japan should bear in mind to enhance cybersecurity and resilience.

1. Use clear and detailed language that explicitly describes the situations in which notice of a cyber incident must be provided

In some cases, a company may be unsure of whether a cyber incident has occurred or if data has been stolen or altered, thus creating ambiguity about the need to provide notice as a contractual duty in addition to any broader applicable regulatory requirements requiring notice to be given. Further, complications may arise with contracting parties in corporate groups, where it could be unclear if a party indirectly affected by a cyber incident must provide notice under the notice clause. To address these issues, companies in Japan should establish clear internal protocols for incident detection and reporting, and ensure that notice clauses in contracts explicitly define the circumstances under which notice must be given, including scenarios involving corporate groups.

2. Be mindful of jurisdictional differences, and use clear and precise terms when drafting limitation of liability clauses

Depending on jurisdiction, limitation of liability clauses may only be upheld in certain agreements with certain parties (such as in business-to-business contracts, but not generally in business-to-consumer contracts). In addition, such clauses may be regarded as invalid in the event of serious breaches, wilful misconduct, bad faith or fraud, or if unreasonable or unconscionable. Therefore, clear language and definitions are paramount to properly limit the nature of losses (whether direct, consequential, or indirect), and should be reviewed regularly to comply with legal standards and avoid potential invalidation.

3. Explicitly clarify the scope of force majeure clauses, and take a wide range of risk management strategies to maximise the ability to rely on such provisions

Force majeure clauses that specify the occurrence of cyber-attacks or breaches as grounds for non-performance may not always protect a party. This can be due to issues of whether a cyber incident was truly 'unavoidable' and if all reasonable measures were taken to prevent or mitigate the same. To address these issues, companies in Japan should ensure robust internal management systems and regularly review and update their force majeure clauses to reflect current cybersecurity standards and practices or consider having standalone clauses that address cyber risk.

To learn more about these issues, or to discuss legal protections and risks in your contractual dealings with your partners and their sub-contractors, please get in touch with the authors or your usual Herbert Smith Freehills contact