Business Insight

Blue Screen of Death: Global CrowdStrike outage is a call to action

Computer grid

    Ten key legal and risk takeaways from the CrowdStrike outage

    What you need to know

    • The global IT outage triggered by cyber security company, CrowdStrike, is a stark reminder of the importance for all organisations to have effective third party risk management.
    • The outage is also a reminder that it only takes a small lapse in security or process to trigger significant incidents, and there is a growing expectation in regulators and customers that all organisations will have mature crisis and incident readiness capabilities.
    • While the short-term impact of the global outage is mostly resolved we have yet to see how the long tail of post incident investigation, disputes and regulatory investigations might evolve. We expect to see service level agreement and contract reviews of material service providers, insurance claims, claims for damages and the need for customer remediation.

    What you need to do

    The outage is a call to action for all organisations to review essential risk management and readiness practices. Here are some key actions to consider.

    If you were directly impacted conduct a post incident review that examines:

    • impact to customers, financial losses, regulatory reporting, and potential claims and remediation, including an early assessment of customer harm;
    • effectiveness of business continuity and recovery processes; and
    • effectiveness and maturity of incident and crisis response.

    Whether or not you were directly impacted, understand and improve your resilience to similar outages in the future.

    • Review the adequacy of your material service provider management practises, your third party risk assessments and ensure the adequacy of existing risk and governance arrangements.
    • This assessment should include a contractual review of cyber clauses (proportionality tiered by supplier risk criticality), assessment and assurance of the same, and clarification of contractual accountability and liability in the event of an incident.
    • Assess and uplift the maturity of your cyber readiness capability and ensure you have "thorough and comprehensive" planning in place.
    • Include a significant third party outage in your next executive and board level simulation.
    • Review your scenario planning and ask "what if" questions: What if recovery was not as fast? What if the outage was the result of a cyber threat actor? What if there was a downstream impact on other critical service providers?
    • Use these scenarios to test critical supplier arrangements – review and update contracts and service level agreements to minimise disruption and incentivise desired responses.
    • Review whether liability cover under cyber, business interruption, professional indemnity and errors and omissions insurance policies are adequate – understand what is covered and your responsibilities.
    • As part of your response to business disruption, consider your litigation footing. Are you likely to make a claim against your suppliers? Are you customers likely to claim against you?

    The scale and suddenness of this outage is now a "foreseeable risk." Even if your organisation was not directly impacted this time, regulators and customers expect all organisations to learn the lessons and adapt. In the article below, we explore 10 key legal and risk takeaways from the CrowdStrike outage.

    Worldwide disruption

    A worldwide IT outage unfolded in the course of Thursday 18 and Friday 19 July 2024.

    Cyber security company CrowdStrike released an update to Microsoft Windows that triggered a "logic error" resulting in a system crash that impacted computer networks worldwide, disrupting payment systems, banks, airports, hospitals, retailers, energy companies – many organisations that use both Windows and CrowdStrike saw at least some level of disruption.

    The outage triggered meetings of various Government cyber and emergency management committees and warnings of the sudden rise in scammers and cyber criminals seeking to take advantage of the outage. Despite no long-term impact to critical infrastructure, speculation as to the costs of the incident is already well into the hundreds of millions of dollars, worldwide.

    In the sections below we explore 10 key legal and risk takeaways from the CrowdStrike outage.

    1. Small lapses can cause significant incidents

    While we are still waiting for the complete picture, CrowdStrike has stated that the global outage was caused by a configuration update to Windows systems that use their security platform, Falcon. The configuration update triggered a "logic error", which resulted in servers and end points (laptops and desktops) crashing and failing to restart.

    Compounding the impact for many was the use of BitLocker full-disk encryption, a sophisticated defence solution designed to prevent cyber threats, which also prevented users and IT teams from deploying the fix unless they had access to each endpoint’s unique BitLocker decryption key.

    According to CrowdStrike, customers running the software who downloaded the update between 04.09 UTC and 5.27 UTC were susceptible to a crash.

    This means that a simple update to a piece of code that was in release for a total of 78 minutes, caused a global outage that reportedly impacted 8.5 million devices worldwide.

    While the scale of incident from a seemingly minor change may seem surprising, this outage aligns with two of Ashurst's key observations from cyber post incident reviews:

    • Small lapses in processes and risk management often trigger significant incidents. Lapses can manifest in several ways. Control design and effectiveness may be inadequate, automated monitoring and alerting capabilities might be limited or circumvented, asset registers may be incomplete, and the scope of penetration testing can be insufficient.
    • Incidents almost always involve third parties. In an increasingly sophisticated and interconnected environment, a third party will often be a significant contributing factor to an outage or security incident. Visibility of third parties and fourth parties (and beyond) that play a critical role in the provision of services is essential.

    2. Regulators expect greater visibility of material services providers and operational resilience

    There is a raft of new regulations aimed at strengthening operational resilience specifically aimed at preventing and responding to disruptions such as the CrowdStrike outage to minimise harm to customers.

    The new legislation such as CPS 230 Operational Risk Management in Australia and DORA in the UK will lift the bar on the management of third parties and introduce better practice that will require organisations to adopt a risk-based approach.

    Better practice also requires an organisation to look through to the processes, risks and controls of the service provider to deliver the services the organisation relies on to provide critical operations to customers. This reinforces the principle that an entity may outsource the activity, but not the risk or accountability.

    Greater visibility will then be required of material service provider risk frameworks and their capability to manage risk to prevent such incidents. In particular, the CrowdStrike outage reminds us of the importance of understanding what best practice change management and patching looks like, and ensuring that organisations set clear expectations with material service providers on the level of testing required before patching.

    It is recognised this visibility is harder to obtain with large global players such as Microsoft where entities have limited leverage to influence them to provide information over risk management practices. New regulation currently under consultation in the UK aims to designate critical third parties (CTPs) and bring them under the supervisory remit of financial regulators, similar to European Supervisory Authorities powers under DORA.

    Even with visibility, there is no guarantee that you will be able to prevent significant incidents – you also need to be confident in your own capability to respond with appropriate contingency and continuity planning, including identifying back-up or substitute systems, processes, and service providers.

    3. Readiness is a regulatory issue

    While an incident may not be your fault, customers and regulators expect you to be able to adequately respond. Regulators across the world increasingly expect organisations to demonstrate greater levels of sophistication and maturity in incident and crisis management response. Following an incident, regulators are "marking" a company's response in relation to the effectiveness of existing plans and processes. The benchmark is to have "thorough and comprehensive planning" for significant incidents.

    Ashurst has defined ten core elements to assessing readiness maturity.

    Ashurst’s cyber readiness maturity model

    © Ashurst LLP, 2024

    Confidence versus capability in cyber readiness

    When we assess readiness with our clients, we are looking at two key measures: Capability and Confidence. Capability refers to documents, plans, and processes. Confidence refers to how effective people and teams are at execution, implementation and decision making. Measuring your confidence and capability across these ten core readiness elements is likely to demonstrate thorough and comprehensive planning.

    4. Post incident reviews are an important tool

    Post incident reviews are an important tool in improving operational resilience and regulators will be keen to understand and share lessons learned. As part of your post incident review, understand how your organisation navigated the CrowdStrike incident, and where it could do better.

    • Determine whether the outage affected a service that is critical for your clients, the market, or yourself, and whether it recovered within the maximum tolerable outage threshold assigned to the service. Consider whether your thresholds need to be reviewed based on the actual impact of the event.
    • Reflect on whether the scenario unfolded as expected and what variables did, or could, impact the recovery process. Was the incident response plan carried out successfully?
    • Review whether the event identified any vulnerabilities that had not previously been considered in the operational risk management framework.
    • If you avoided any impacts, ask why. Was it due to the risk mitigation measures in place? If not, use this experience as one of your testing scenarios for assessing the resilience of your operating model. Use any severe disruptions experienced by your peers to design the scenario test case.
    • Understand any control weaknesses and ensure there is a robust remediation plan in place.

    5. Data is a key component of operational resilience

    It’s also important to understand data impacts as part of your operational resilience.

    • During periods of downtime, prepare for system build-back and recovery. Has the incident impacted data integrity and accuracy? In addition to lost or damaged data, consider if periods of unavailability make data records unreliable.
    • Consider data integrity and accuracy as part of post-incident review.
    • Review data hosting and cloud strategies – are you introducing single points of failure by relying on single providers or technologies for critical services?

    6. Rapidly assess impacts and notify regulators

    Business disruption incidents can require regulator notifications under a range of regimes, including critical infrastructure laws, sector-specific regulation (such as in the financial sector), continuous disclosure obligations for corporations, and data protection and privacy regimes. Despite efforts to align, simplify and streamline notifications, different regimes can have quite different requirements – and business continuity and operational resilience planning need to take them into account.

    To meet regulator expectations, organisations need to:

    • understand different notification obligations and timeframes, noting that different systems and data within the same organisation may have differing and overlapping incident reporting requirements;
    • rapidly assess incidents against notification criteria – which are often related to assessments of potential harm or impact; and
    • appropriately notify regulators within mandatory time limits – and in many cases provide updates to notifications.

    While system outages are often viewed as a business continuity risk rather than a data protection or privacy breach, it should be noted that a loss of availability of personal data within the UK and EU falls within the definition of a data breach and can require notification to regulators if it presents a risk to individuals. Contrast this with Australia where although the definition is narrower (in that for a data breach to have occurred there must be unauthorised use or disclosure) the privacy regulator has taken the view that evidence that data has been stolen is not necessary for a data breach to have occurred.

    7. Supply contracts need to drive resilience and recovery

    Following the CrowdStrike incident, expect both suppliers and customers to take a closer look at contractual, liability and insurance implications (and exposures) to minimise business interruption risk, mitigate impacts, and clarify consequences of outages.

    Key issues to consider include the following.

    • Operational responsibilities – What are the business continuity or operational resilience obligations? Are they tested? Are they followed?
    • Metrics, transparency, and communication – Does your contract provide you with enough information to effectively manage critical risks? Do you know if your contractor is meeting operational resilience, business continuity or cyber security requirements? The right metrics and reporting can help identify risks before they eventuate.
    • Service Level Agreements – How have availability SLAs been drafted? Do they adequately capture emergency downtime or unplanned outages? Are any risks excluded from SLAs, such as failure by third party suppliers?
    • Compensation and liability – What compensation applies for SLA failure? Is SLA compensation the best recourse (as service credits typically carry very low compensation levels). Is SLA compensation a sole remedy? Is the answer different for catastrophic failures, or failures beyond defined tolerance levels?
    • Aligned incentives – Do SLAs, compensation, liability, operational obligations, governance, metrics, commercial terms, and other contract arrangements incentivise and support capabilities to manage material risks?
    • Excused performance and force majeure – How do provisions that excuse performance (like a force majeure regime) play out in the context of a high impact outage like the CrowdStrike incident? How does the regime interact with other obligations such as service levels (and related compensation), business continuity and disaster recovery, and obligations to deliver services?
    • Disaster recovery and business continuity – Is disaster recovery and business continuity adequately covered either in your plans or the supplier’s plans? If not, what changes need to be made going forward?
    • Managing subcontracts – Do contracts require appropriate flow-through of obligations to sub-contractors, and will they do so in contracts going forward? Do you have enough information about critical subcontractor compliance?
    • Pass through of third party terms – Do contracts incorporate or “pass through” third party supplier terms, or are obligations limited by third party terms? The answer might be quite different depending on whether a cloud service provider is considered a subcontractor or third party licensor.
    • Mapping supply chain risk – Whatever positions are reached in supply contract negotiations, understand how they map to your critical services, insurance, and downstream customer contracts. Is any gap in responsibility or liability adequately managed by other means, or does the gap present an acceptable risk?

    Exclusions and limitations of responsibility and liability allow technology suppliers to control business risk - this will be top of mind for suppliers following the CrowdStrike outage. Suppliers may be reluctant to take on additional business risk, particularly if their upstream suppliers do not take on additional risk. Negotiations depend on a strong understanding of how risks can be mitigated and controlled in practice, how various insurance policies may respond, and commercial leverage. Adopting a proportionate approach to cyber clauses is advisable. Not all third parties will create the same risk exposure for you – tiering those suppliers, informed by mapping third parties to critical process/important business services, is vital.

    8. Insurance plays an important role

    Organisations should review their cyber business interruption insurance both for cover for losses because of the CrowdStrike incident and for the adequacy of cover for potential future events. Issues to consider include:

    • the time deductible (the length of time the disruption must last before cover is triggered – typically between 6 and 24 hours)
    • adequacy of limits
    • cover for systems failures
    • cover for business interruption
    • cover for contingent (or dependant) business interruption, being an event causing business interruption to a supplier or customer which results in loss to the organisation
    • notification obligations

    The adequacy of liability cover under cyber, professional indemnity and errors and omissions policies should also be reviewed.

    Where there are actual or potential insured losses or liabilities because of the CrowdStrike incident, organisations should ensure that they follow the notification requirements in their policies.

    9. Anticipate supply chain disputes

    In the aftermath of the CrowdStrike outage, organisations and customers directly or indirectly impacted by the incident will be counting their losses and looking carefully at their contracts and insurance arrangements to understand how they might be able to recover some of their losses.

    Increasingly, organisations rely on a small number of large, cloud-based services as critical parts of supply chains. In many cases, these “linchpin” services are contracted indirectly through service providers – which can limit the visibility of critical systems and services, and the terms on which they are provided.

    Standard terms of service of large platforms will often significantly limit liability, particularly for loss to an organisation’s customers. Amounts recoverable may be limited to service level credits, or a reduction of fees paid, and insurance will be unlikely to cover all losses.

    In this environment, organisations may look to recover against other entities in the supply chain who have been unable to deliver on their obligations due to the CrowdStrike outage.

    Whether or not you have been impacted, the CrowdStrike outage is a reminder to understand exactly how liability, responsibility and risk is allocated within supply chains – does your “downstream” liability to customers align with what you can expect to recover from your “upstream” supplier contracts?

    If your organisation has been directly or indirectly impacted by the incident:

    • Consider your litigation footing – Understand that you might make or might be exposed to a claim – you may need to put a litigation hold on automated document or data destruction, put in place communications protocols (such as legal professional privilege protocols), or consider whether any post-incident investigators should be engaged on a privileged basis.
    • Look at both customer and supplier contracts – Review both “upstream” supplier and “downstream” customer contracts – understand what rights you might have in relation to your suppliers, but also understand what claims you may face from your customers and other relationships.
    • Contractual liability – Look carefully at all provisions that may limit or allocate liability, including force majeure regimes, service level regimes, indemnities, exclusion clauses, etc.
    • Notice obligations – Pay particular attention to any notification obligations – in some cases, failure to notify can impact further rights and liability (e.g. obligations to notify of the occurrence of a force majeure event or a third party claim).
    • Understand service credits and liquidated damages to which you may be entitled, or that you might be required to pay – paying particular attention to whether they are a sole remedy, or if there might be other claims.
    • Understand how proportionate liability legislation operates in the relevant jurisdiction and under your contract – could a claim be diluted where there another party (such as a technology provider) contributed to a loss?
    • Understand your insurance position.

    10. Take decisive action

    The CrowdStrike outage is a call to action in an economy increasingly dominated by highly interdependent and interconnected digital supply chains – bringing a particular focus on the role that third (or fourth) party suppliers and technologies can play in supporting critical business operations.

    In the short term, those impacted need to assess the impacts of the outage, make sure they have complied with notification, remediation and other obligations they may have under legislation or contracts, and anticipate ongoing risks arising from the outage – which may include the possibility of regulatory intervention or supply chain disputes.

    Importantly, post incident review processes can help prepare for or avoid the impacts of future outages.

    Whether or not you were impacted, inaction is not an option. All organisations are expected to learn and adapt.

    About Ashurst

    In a changing world, our vision at Ashurst is to be a highly progressive global law firm. For over 200 years we have advised corporates, financial institutions and governments on their most complex transactions, disputes and projects. We offer the reach and insight of a global network, combined with our knowledge and understanding of local markets. At Ashurst, we help our clients build cyber resilience and effective cyber risk management through a combination of legal, risk advisory and programme delivery teams. We provide end-to-end, whole-of-life-cycle expertise across cyber, data and privacy issues. Having advised on some of Australia’s most high-profile cyber incidents, we have unique insights and expertise that can improve how organisations prepare for and respond to high-impact cyber incidents, at executive and Board level.

    Read more about our cybersecurity services.

    Authors: John Macpherson, Partner, Risk Advisory; Niki Short, Partner, Risk Advisory; Rhiannon Webster, Partner; Rehana Box, Partner; Nicholas Mavrakis, Partner; Andrew Hilton, Expertise Counsel; Tharaka Boralessa, Director, Risk Advisory; Christopher Bates, Partner; Anthony Lloyd, Partner and Matthew Worsfold, Partner, Risk Advisory.

    image

    Business Insight

    Redefining Cyber Readiness

    Understand how you need to manage cyber security risk in light of the new Australian laws and heightened regulator expectations

    How to prepare

    This publication is a joint publication from Ashurst LLP, Ashurst Australia, Ashurst Risk Advisory LLP and Ashurst Risk Advisory Pty Ltd, which are all part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883 and is part of the Ashurst Group . Ashurst Risk Advisory LLP services do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. Ashurst Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales. The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services.

    Ashurst Risk Advisory Pty Ltd is proprietary company registered in Australia, and trading under ABN 74 996 309 133.

    Ashurst Risk Advisory LLP and Ashurst Risk Advisory Pty Ltd services do not constitute legal services or legal advice and are not provided by qualified legal practitioners acting in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of risk advisory (non-legal) services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com