The impact of the CrowdStrike IT outage on 19 July 2024 has been significant. Many businesses have faced heavy disruption, financial losses, and operational challenges due to the outage. Legal ramifications are unfolding as affected parties seek compensation and apportionment of accountability, whilst consideration is being given to how contractual protections can be deployed to mitigate any similar incidents in the future.
In this article, we set out the implications of the incident from a regulatory perspective, alongside likely legal consequences and preventative measures that businesses should consider moving forward.
Background: “Largest IT Outage in History”
CrowdStrike, a Texas-based cybersecurity vendor, unwittingly caused an IT outage on a global scale through a routine update to its Falcon software (software that is designed to prevent malicious attacks). The issue stemmed from its attempt to update all computers utilising its software simultaneously, which triggered a “blue screen of death” error on millions of computers, grounding airplanes and drawing a halt to office work worldwide. Microsoft estimated that 8.5 million Windows devices were hit by the faulty update.
The financial losses caused by the outage will both affect businesses directly through their own lost business and cost of rectification, as well as in respect of claims from third parties.
Impact: Regulatory Scrutiny of Cybersecurity
Cybersecurity has already been a key agenda topic for regulators worldwide in line with the pace and reliance on technological developments. There is increasing focus on the need to ensure that key organisations have risk management and business continuity measures in place in order to minimise widespread disruption.
In particular, the Crowdstrike incident underscores the critical need for robust third-party IT risk management; a matter addressed in the EU Digital Operational Resilience Act (DORA). Effective from January 2025, DORA aims to enhance the operational resilience of financial institutions by mandating comprehensive risk management frameworks that include stringent third-party risk assessments for supply chains. The CrowdStrike incident has highlighted vulnerabilities in interconnected digital systems, demonstrating how a single faulty update can disrupt multiple sectors. DORA’s holistic approach to operational resilience ensures that these risks are better managed, emphasising the importance of understanding and mitigating dependencies on critical IT suppliers.
Whilst DORA is EU legislation and financial services sector-specific, the UK is increasingly focusing on legislation and regulations to help mitigate technology-related risks. For example, in the King’s Speech earlier this year, the UK government announced a proposal for a new Cyber Security and Resilience Bill, designed to address vulnerabilities and plug gaps in the UK’s digital resistance framework. Additionally, the UK Technology Secretary has recently announced that data centres would be classified as Critical National Infrastructure; providing additional protections and support in the case of critical incidents (such as cyber-attacks) on this infrastructure.
Further to this, a particular regulatory aspect to note is that of the Network and Information Systems regime, which has been deployed in both the UK and the EU, albeit separately and with distinct timelines. This is a regime that intends to enhance the level of both cyber and physical security of network and information systems considered critical to national operations and resilience. The EU’s NIS2 Directive has an implementation deadline of 17 October 2024; it significantly tightens the requirements for IT security and broadens the scope of organisation that are caught by the Regulations.
Whilst the EU’s NIS 2 won’t apply to the UK directly, the previous UK government announced in 2022 that the UK’s Network and Information Systems regime would be strengthened to align with the NIS reforms in the EU. Changes will enhance cybersecurity and are expected to include a non-legislative regime in the form of a flexible risk-based assessment, regulated by the UK Information Commissioner, who would also produce guidance on how digital service providers can ensure high levels of cyber-resilience.
The cyber-security of the financial sector has been increasingly scrutinised in recent years; for example, a new operational resilience regime took effect in the United Kingdom in March 2022, introducing requirements for UK banks and insurers, to ensure the UK financial sector is operationally resilient. The new Financial Services and Markets Act 2023 includes new powers for supervisory authorities to assess the resilience of services offered by critical third-party providers (which are any providers whose failure would pose financial risk to the UK, such as cloud providers), indicating the increasing concern towards supply chain risk management, particularly in regard to cyber resilience. The FCA has also honed in on operational threats to regulated firms, indicating in its 2023/24 Business Plan that it would be scaling up its efforts to deal with firms who couldn’t meet the required standards of operational resilience, whilst its 2024/25 Business Plan emphasised that it would aim to tackle cyber threats and attempt to tackle the systemic risk built up in the sector due to reliance on critical third parties.
These developments indicate that there is an increasing expectation for companies to deploy strong technical and organisational security methods and review them regularly. In light of this, it will be crucial to closely examine internal contingency processes and relationships with third parties in order to ensure they are adequately secure, as well as appropriately governed.
Furthermore, the scale of the Crowdstrike outage has highlighted the need to avoid clustering of responsibility for cybersecurity within a small group of companies. 15 companies globally account for 62% of the market in cyber security products and services, resulting in a level of interconnectivity and therefore risk. Businesses should expect that there will be efforts to break up the consolidation within the technology industry in order to dispel the systemic risk created by such exclusivity. As a related point, the new Digital Markets, Competition and Consumers Act 2024 has been deployed with a key intent behind the Act to bolster CMA powers to investigate competition issues in digital markets. Given the vulnerabilities in the market revealed by the CrowdStrike incident, regulators are now likely to turn their attention to the monopolies held by cybersecurity providers specifically, in order to prevent similar incidents in the future.
The interconnectivity and concentration risk within the sector has the potential to cause financial damage to the global economy; it is highly likely that regulatory measures will be deployed to scale back the risk currently posed.
Lessons Learned: Contractual Protections
From the perspective of how businesses should, and are likely to, impose measures to mitigate the impact of such future incident, a key aspect will be in how contractual provisions are drafted.
Much in the same way that COVID was a previously-unforeseen scenario that has led to greater consideration of the Force Majeure clauses of contracts regarding pandemics, so the CrowdStrike incident will force both customers and suppliers to think about their liability position in their contractual arrangements. Supplier contracts are likely to seek to heavily limit remedies available in such incidents; providers that offer services as expansive as cloud access and cybersecurity offerings will not have a liability cover for lost business, or compensation to third parties affected..
Accordingly, customers should think about how this risk could be covered off reasonably in a contract; the cost of IT technicians manually fixing devices could be approached through the wording of warranties and indemnities from a supplier. An avenue of recovery might also lie on a basic level in the Consumer Rights Act; services must be provided with due care and skill, which might be breached by significant coding bugs in a software update that are not adequately tested before they are installed onto customer systems.
Lessons Learned: Mitigating Financial Damage
Other ways that businesses can mitigate the financial impact of such incidents include:
- sufficient Business Continuity and Disaster Recovery planning (BCDR);
- insurance protections; and
- internal risk assessments of technology ecosystems.
BCDR planning is crucial for businesses generally and will be expected in outsourcing agreements. However, special care should be taken to ensure that technological incidents are included within this planning. Accordingly, BCDR plans should be reviewed and updated on a regular basis to ensure that the latest developments are accounted for.
Insurance can also be a valuable protection. In light of the CrowdStrike incident, businesses should review their insurance coverage and ensure that foreseeable incidents are covered properly; again, in light of technological developments in this area, purely because this incident might be covered does not mean all incidents will be; businesses should ensure the protections in regard to technological failure and disruption are particularly strong given the heavy reliance on technology practically universally in global industry.
Finally, businesses should review the practicalities of outsourcing. Consideration should be given to the level of autonomy that third-party service providers have; the CrowdStrike incident derived from a routine update, which was rolled out to client systems automatically. Additionally, interconnectivity and reliance on a small group of providers should be considered; businesses should be able to separate out any critical systems from reliance on any third parties.
Key Takeaways
Businesses rely heavily and almost universally on technology to function. This is inevitably interlinked with cybersecurity and the input of third parties. In light of the CrowdStrike incident, businesses should consider how effective their current security measures are, how well they could cope with an IT incident of this scale as it stands and how they could adapt their measures to cope better in future and build appropriate protections into their contracts with other parties. This is not only a sensible move from an internal business perspective, but such protections are likely to become regulatory requirements in future given the level of disruption caused and increasing regulatory focus on this topic.
This article was written by David Varney and Victoria McCarron.
If you have any questions or would otherwise like to discuss any issue raised in this article, please contact David Varney or another member of our Technology team.