Don’t Let the CrowdStrike – Reboot Your Cyber Resilience Practices Now!
You didn’t have to travel far to hear or experience the effects of the CrowdStrike outage incident. An apparently simple update developed into a significant incident that affected people worldwide with an estimated financial impact of $15 billion[1]. Affected businesses included airlines (boarding and ticketing), banks (transactions), retailers (purchases), hospitals (electronic medical recording), schools (communicating online with parents and even the government (authorising prescriptions).
What Happened?
In general, technology change management involves testing processes that are affected within an administrative ‘non-commercial facing’ environment. This allows any errors, omissions, corrections, or enhancements to be made without prior to the scheduling of any roll-out. All changes and updates happen in the background, and users are not affected by them.
On 19 July 2024, CrowdStrike implemented a software update to their Falcon Sensor product, which protects encrypted data on the cloud from cyberattacks. This update inadvertently included a ‘bug’, and some users of Microsoft Windows (estimated at 8.5 million Windows devices[2]) could not reboot their computers. Software updates are affected on their server, and changes are directly reflected on the software users’ computers via the cloud.  The end user did not know, and even if they had, they would not have been able to prevent the unintended mishap.
Could the Outage Have Been Avoided?
At this point, it appears difficult to identify whether the CrowdStrike outage could have been avoided. It is a publicly listed company that has to comply with onerous regulatory and continuous disclosure requirements. Arguably, as one of the worldwide providers of cyber security products, it would not be unreasonable to form the view that such an error would not occur within a sophisticated organisation like CrowdStrike. Yet, it did happen, and substantial financial and indirect economic losses have occurred. Only time will tell how and if such losses could be recouped.
What Can a Savvy Business Do?
People are aware that cyber risks can arise from deliberate malicious attacks by third parties. Following the outage, businesses and governments should be more vigilant about the cyber risks that can arise from non-malicious and unintended errors, including by their own technology providers.
Business should ‘dust off’ their risk management frameworks and review their technology contract and insurance governance procedures:
Technology Contracts :
-
Procurement process to include more than one provider for each resource.
-
Transparency and due diligence in tendering processes.
-
Negotiate limitation of liability and indemnity clauses to provide for sufficient compensation.
-
Review service level standards and change notification periods.
Such contract review should include the following:
-
Intellectual Property Licensing Agreement: This agreement authorises the use of intellectual property in exchange for a fee while retaining ownership of the IP.
-
Software Licensing Agreement: Software installation and use on the end user’s server.
-
Software as a Service Agreement: The customer receives the software from a service provider. The software is hosted on the service provider’s server.
-
Distribution Agreement: Appointing a body to resell and distribute software or intellectual property.
-
Professional Services Agreement: Acquiring skilled services such as software program management, coding and customisation, and web design.
Insurance Policies
-
Review Your Cyber Insurance Policy: Does it cover non-malicious attacks? As the trend for cyber insurance to be standalone insurance increases, it’s essential to know what coverage you have.
-
Review Your Business Continuation Insurance Policy: Does it cover what you really need it to? This is also a good time to review your business continuity plan.
How Can Madison Marcus Help You?
If you need advice or assistance with your cyber resilience framework, Madison Marcus is here to help. Our Financial Services Division has extensive experience in compliance, insurance, and dispute resolution and can advise you on the necessary risk management review of your technology contracts and cyber management compliance standards.
MM Website Enquiry Form
Form used to capture all MM website enquires. Will be used in Monday and Mailchimp via Zapier
"*" indicates required fields
[1] Reuters, 25 July 2024 https://www.reuters.com/technology/fortune-500-firms-see-54-bln-crowdstrike-losses-says-insurer-parametrix-2024-07-24/
[2] Microsoft. 30 July 2024, David Weston https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/