Cybersecurity insurance, Governance, Risk and Compliance

CrowdStrike Outage: Legal Experts Weigh in on Liability Implications

Share
(Adobe Stock)

Post-CrowdStrike outage, we're now in what's called the "right of boom" phase -- figuring out how to recover, restore, rebuild and move toward continuous improvement. But even though we know this wasn't a cyberattack or a deliberate malicious act, there are many questions that remain unanswered, especially from a legal and liability perspective. The first these involves calculating the costs and who will ultimately be responsible for paying.

Matthew Richardson, partner at legal firm Brown Rudnick, was himself stuck at Chicago's O'Hare airport Friday for about 11 hours due to the incident. There are still industries, including airlines, working to get back to business as usual, he added, and the full amount of the damage done may never be 'paid in full.'

"That was eight hours of my business time lost, and the place was filled with people. So, think about what the actual damages are; it's probably in the billions, and there's probably no way to cover that damage. There's certainly no way CrowdStrike could ever afford to pay that much," he said.

First, CrowdStrike must review their existing service agreements with customers, said David Derigiotis, president of brokerage and head of insurance, Flow Specialty. Pushing out a faulty code change, as happened here, would fall under errors and omissions (E&O), which is a type of liability insurance that covers claims against your business for mistakes you made or services you failed to provide. E&O insurance protects your business from claims by clients for negligence, malpractice, errors or omissions you allegedly made while providing a professional service.

"This could be a matter of E&O. Many service agreements include clauses that limit the provider's liability to a certain amount, often tied to the fees paid for the service. This limitation on liability would likely be far lower than the business interruption losses experienced by some clients," Derigiotis said.

For some businesses or individuals, insurance policies could cover business interruption and/or IT failure, which may allow for some recompense, Richardson said, but in other cases, the damage may be so substantial that it proves fatal.

"There are still folks stuck in airports for the last three days. You can't really put a number on that, so it may be a situation where the damage was so big it can never be repaired," he said.

For cyber insurance to apply in this scenario, Derigiotis said, there are two key elements that need to be reviewed within the policy. For direct clients of CrowdStrike, impacted organizations would first need to make sure business interruption coverage is listed as an insuring agreement. Second, the definition would need to include broad language to include a non-malicious event such as a "system failure" as part of the definition. Having business interruption that is only triggered by a security incident or other intentional act would generally not apply to an unplanned system failure like we saw in this particular incident. A bit further down the supply chain, the same elements would apply to indirect clients of CrowdStrike. Here, dependent business interruption would be at the center of coverage. This definition would also need to include a trigger for non-malicious events such as an unintentional and unplanned interruption of computer systems, he said.

Today, the U.S. House of Representatives asked CrowdStrike's CEO George Kurtz to testify about the incident, but the outcome and consequences of such a hearing remain to be seen. There could be future regulatory and operational implications, Derigiotis said, especially for organizations in highly regulated industries.

"The CrowdStrike IT outage could have significant regulatory and operational implications for affected companies. While it was not a security breach, the incident highlights the importance of effective incident reporting, business continuity and vendor management practices," Derigiotis said. "Companies in regulated industries, such as banking, healthcare and aviation, may be required to report significant IT disruptions to regulatory bodies. The widespread impact of the CrowdStrike incident will likely trigger such reporting to agencies like the U.S. Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and others, depending on the jurisdiction and industry."

Covered healthcare entities must establish and implement contingency plans for responding to emergencies or system failures. Those that failed to do so during this incident may be called into question, he said. Regulatory bodies increasingly emphasize operational resilience, especially for critical infrastructure sectors. This incident highlights the need for meaningful contingency planning and could prompt regulators to scrutinize companies' disaster recovery and business continuity plans going forward, Derigiotis added.

And when it comes to litigation, there may be other actions taken, Richardson said.

"The most likely legal theory will be one of negligence," Richardson said. "[Congress] will drag the guy over the coals, they'll maybe implicate him and his company and put in place a negligence action. There'll maybe be a couple of plaintiffs lawyers who dig up some exceptional theory on negligence, and get some class action lawsuits going. Again, we still don't know all the facts in this case, and there are other dimensions which have not yet been fully explored, including how CrowdStrike had access to kernel level updates on the Microsoft operating system? How come Microsoft didn't have any control over these updates being pushed on their kernel?"

MSP and MSSP Liability?

For MSPs and MSSPs, the consequences are equally murky. In the legal theory of product liability, Richardson explained, everyone involved in the 'chain of commerce' is as liable as every other. However, in such an unprecedented situation, it's difficult to say exactly how MSPs and MSSPs could be culpable.

"It would be nice to have some 'precedented' times for a few minutes, right? Again, we're in a place where everything that's happened is covering new ground," Richardson said. "In a product liability sense, every person or business in that chain is is liable. Now this isn't that, necessarily, because there are certain things that take it outside product liability law, but, you could see the potential for some clever plaintiffs making a legal theory like this and and finding a way to shoehorn it in and activate that chain of commerce legal theory. I'm not saying it would automatically be a winner, but it's possible," he warned.

In addition, Derigiotis said, the IT outage could potentially create temporary vulnerabilities for organizations that have not fully recovered. Systems that crash or become inoperable might be offline during critical security updates or monitoring periods.

"Becoming fully operable and applying necessary updates will be critical. Microsoft estimated that 8.5 million Windows devices were impacted by the CrowdStrike update. Additionally, organizations will see an increase in CrowdStrike-themed social engineering campaigns and other phishing attacks. Illegitimate domains were registered using the CrowdStrike name the moment news broke of the incident," he said.

There will likely be much greater focus on cyber insurance policies going forward to get ahead of just the type of situation happening in the future, Richardson said. Cyber insurance policies already are becoming increasingly complex, and with such a massive incident, the chances of it not having an impact are close to zero.

"Now that everyone knows that it's happened, and it's happened in such a public way, people know it's a real risk and they have to make sure they cover those risks the right way," he said. "Cyber insurance policies already are having more exemptions made as insurance companies are as aware of the risks just as much as the [criminals] are, because the companies have to make sure that they're at least profitable. Something like this, the scale of the losses is incomprehensible," Richardson said.

Regardless, Richardson said, it'll be pretty bad for CrowdStrike -- bad enough that the company may not survive the fallout.

"The scale of it is so large that there's no way everybody will get paid. And if they get paid, it'll be pennies on the actual dollar; fractions of pennies," he said.

Sharon Florentine

Sharon manages day-to-day content on ChannelE2E and serves as senior managing editor for CyberRisk Alliance’s Channel Brands. She also covers enterprise-class technology companies, strategic alliances and channel partner strategies. Sharon is a veteran tech journalist and editor with more than 25 years experience in the industry, and has previously held key editorial, content and leadership positions at Techstrong Group, CIO.com, Ziff Davis Enterprise and CRN.