Contractual Lessons Learned From the CrowdStrike Outage

On July 19, a bug left in a new CrowdStrike software release produced a “blue screen of death” that caused 8.5 million systems to crash. It may have cost Fortune 500 companies as much as $5.4 billion in lost revenues and gross profit, according to Parametrix, an analytics and insurance provider. Parametrix also estimates that only 10-20% of the companies affected would be covered by cyber insurance.  

Once the disaster was mitigated, the knee-jerk reaction of companies was to go to their contracts and see if they could recover damages from their losses, and many were disappointed. What they found was that the fine print in the contracts they had signed excluded them from the reparations that they wanted. 

The Fine Print of Vendor Contracts 

When vendor-induced financial and reputation losses occur, understanding what your vendors will and won't cover is a paramount issue, especially as more organizations shift IT to the cloud. Yet, few IT departments stop to consider the contractual fine print exclusions for responsibility when they ink cloud contracts. In fact, in my own work with companies, I have discovered many small and medium sized businesses (SMBs) in particular that can’t even find their original vendor contracts! 

What the fine print of cloud and other IT vendors usually says is that the vendor will make a “best effort” during a disaster or outage. The vendor also excludes itself from liability for an outage in the event of what the law calls “force majeure” events beyond the vendor’s control, such as natural disasters, war, etc. The vendor promises to practice “diligence” and “due care” in its operations, although there are no uniform standards in the software industry that definitively clarify what the standards are for diligence and due care. 

Related:CrowdStrike Facing Lawsuits After Global IT Outage

Now, let’s look at what happened in the CrowdStrike outage. 

In an update to the company’s product, which is endpoint detection and response  software that monitors computer activity and looks for signs of malware, CrowdStrike modified sensor configurations, and the modifications inadvertently generated a logic error that resulted in system crashes and blue screens (BSODs) on impacted systems. CrowdStrike explained that an update of this nature was routine practice, that the error was inadvertent and unexpected, that the logic error had been expeditiously repaired, and that CrowdStrike was performing a detailed root cause analysis to see how the error could have occurred in the first place. 

Can You Sue? 

Anyone can launch a legal action for tangible economic losses, but succeeding in such a lawsuit for a software bug is an open question that the legal profession, the private sector, and the public sector are struggling to answer. 

Related:CrowdStrike Aftermath: Lessons Learned for Future Recovery

From a legal perspective, theories of strict product liability or negligence may be pursued, but will they work? 

In 2023, The Biden administration’s National Cybersecurity Strategy, called for legislation and agency action shifting liability for insecure software onto software producers that fail to take “reasonable precautions.” However, that being said, there is still no firm ground in which to sue software developers for software bugs. 

“There are many reasons why software has largely escaped liability to date,” said a post on Just Security, an online forum for analysis of security, democracy, foreign policy, and rights. “For one, almost all software licenses, those pages of text that users mindlessly scroll through, disclaim the producer’s liability. In addition, there exists no widely recognized legal standard that demarcates secure from insecure software development practices…Taken together, in legal terms, this means that software manufacturers have no clearcut duty to fix bugs; there is no established standard of care to abide by; and users can’t always perceive, and the court isn’t always ready to recognize, that any harm occurred.” 

Related:CrowdStrike Strikes Back at Delta, Calls Lawsuit Threat ‘Meritless’

What works best in these circumstances is to talk with the vendor and see what damage reparations in the form of discounts on pricing and other considerations can be made, which many vendors are more than willing to do in order to maintain good will. 

Can You Get Your Cyber Insurance Policy to Pay? 

There are many types of cyber insurance available to organizations. Some cover first-party damages, like your data, including employee and customer information. Some cover third-party liability such as when someone brings a lawsuit against you for a cyber breach; and some cover cyberattacks on your data that is being held by vendors, according to the Federal Trade Commission. However, cyber liability for software bugs such as the one that occurred at CrowdStrike is a gray area.   

“Policyholders will need to look for insuring clauses providing coverage for “system failures” or similar,” according to Stewarts' Aaron le Marquer, head of policyholder disputes. “A peril with a broad definition, such as “an unintentional and unplanned interruption of computer systems”, provides wide coverage that may extend to the CrowdStrike incident; however, it may include carve outs for system failures caused by malicious attacks or other security breaches.” 

Takeaways 

If reparations are to be gained in lawsuits, those in the best position to get them are large enterprises that have the ability to dictate the terms of contracts that go beyond what vendors’ generic contracts offer. Small and mid-sized companies don’t have this kind of clout, so the best they can do is to read the contract fine print and specifically identify a set of service level agreements (SLAs) that can be attached and integrated as appendices to the generic contract, and that describe the levels of performance and due care expected from a vendor in areas like mean time to recovery, a requirement to test disaster recovery and failover annually, etc. 

Small and mid-sized companies should also check their files to ensure that they have contract copies for each vendor they do business with. If a contract is missing, ask the vendor for a copy. 

Finally, there is a reminder for companies that do business with SaaS application vendors such as customer-relationship (CRM), which in turn employ a third-party cloud provider to host their platforms. If an outage occurs on the platform that is due to the underlying cloud provider, there isn’t much action you can take against the underlying cloud provider because your company isn’t in "privity" (a direct contract) with the cloud vendor. 

This complex of legal issues that affect how IT does business with cloud and other tech vendors is still in the early stages of legal review, and the government, to its credit, is trying to address them. Meanwhile, the best practice is to ensure that you have all of your contracts on file, that you have cyber insurance protection, and that you never sign a contract with a vendor without reading the fine print first.