The CrowdStrike outage — who will pay?

CrowdStrike, an American cybersecurity technology company, designs software to protect computer systems from disruptions. Ironically, on 19 July 2024, its own software caused one of the biggest IT disruptions in history.

A faulty update to its Falcon sensor program crashed computers, grounded flights, paralysed hospitals and brought businesses to a standstill all over the world.

“It’s becoming clear that a large number of Australian businesses suffered significant financial losses as a result of the CrowdStrike outage,” says James North, head of Technology, Media and Telecommunications at Corrs Chambers Westgarth.

“Along with lost sales and revenue due to an inability to trade, costs could include employing additional staff to reboot IT systems.

“While the immediate focus was getting their IT systems back online and clearing order backlogs, businesses are now turning their attention to whether they can recover their losses from CrowdStrike or its insurers.” 

Liability for CrowdStrike

There are many obstacles to recovering losses from CrowdStrike and other IT vendors.

“CrowdStrike’s standard terms limit its liability for contractual breaches to refunding fees paid by the customer and exclude liability for losses such as revenue,” says North.

“Customers must also agree to New York governing law and arbitration in Singapore, which means foregoing access to Australian courts.”

Analytics and insurance provider Parametrix estimates the financial loss due to the CrowdStrike outage will reach US$5.4 billion for Fortune 500 companies, excluding Microsoft.

It calculates that the ratio of insured loss to financial loss is typically in the range of 10 per cent to 20 per cent, meaning the insured loss will range from US$0.54 billion to US$1.08 billion.

Yet according to Morningstar, CrowdStrike will likely be shielded from direct financial impacts, “due in part to the software industry's licensing structure, through which standard software licenses limit the liability of the software developer, and because of insurance held [by] both CrowdStrike (CRWD) and its customers”.

Recourse to consumer law

In Australia, consumer law could be the best option for recovery.

“The statutory guarantees available to Australian businesses in certain circumstances include that services will be provided with due care and skill,” says North. 

“This guarantee may be breached if an IT vendor introduces coding errors into a software update or fails to properly test the update. Importantly, a business may recover reasonably foreseeable losses resulting from a vendor’s major failure to comply with a statutory guarantee.

"In certain circumstances, this may include trading and other financial losses.”

Class action unlikely

Mark Wilks, Corrs’s head of Commercial Litigation, sees little opportunity for a class action by CrowdStrike customers.

“Arbitration clauses are embedded in the customer contracts,” he says. “If CrowdStrike enforced those agreements, any proceedings brought in Australia would be the subject of an application for a stay, and for the parties to be referred to arbitration on an individual basis.

"There’s no obvious mechanism for bringing a representative suit in an arbitration setting.”

Nevertheless, some of those affected by the outage are trying their luck. US airline Delta has threatened legal action against both CrowdStrike and Microsoft, accusing them of negligence. The carrier claims it was forced to cancel thousands of flights because of the outage and lost at least US$500 million as a result.

At the time of writing, Delta was facing a class-action lawsuit filed on behalf of impacted passengers.

Meanwhile, CrowdStrike has been sued by shareholders who said the cybersecurity company defrauded them by concealing how its inadequate software testing could cause the outage.

The right insurance

Businesses affected by the outage will need to check their insurance position carefully. 

“While their business may have been interrupted, business interruption insurance is unlikely to respond as it relates to damage to physical plant and equipment through defined acts,” says Wilks. “They will also need to check the terms of any cyber insurance policy.”

Cyber insurance typically covers businesses against malicious network attacks but not necessarily system failures.

“CrowdStrike was a system failure, and there are three ways a business might be affected,” says Jeff Gonlin, head of Underwriting at Emergence Insurance.

“First, if its own IT relies on CrowdStrike Falcon for protection. Second, if they rely on an IT contractor who is affected, this may result in an interruption to the business. 

"Finally, a non-IT supplier could suffer an outage due to the system failure and this could impact the supply chain, again leading to business interruption. Businesses need to be aware of the nature of these threats when they’re considering protection.”

Optional extensions and waiting periods

Petra Lucioli, group claims manager at Delta Insurance New Zealand, points out that cyber insurance products are often modular.

“Accidental damage caused by a technology vendor’s errors could well be an optional extension,” she says. “Typically, if they do have cover, policyholders would recoup business interruption, system restoration and remediation-related costs though, naturally, the amount recovered will depend on level of coverage and any excess.”

To ensure that short-term issues don’t trigger a claim, most cyber policies have a waiting period, usually between eight and 24 hours but sometimes as long as 72 hours.

Some insurers only provide cover from the end of the waiting period. For others, the end of the waiting period simply initiates cover, which is backdated to the time of the failure.

“Clearly, the length and nature of the waiting period is particularly relevant when the event itself is short-lived,” says Lucioli.

Preparing for the next event

As systems grow more complex and interconnected, it’s unlikely that the CrowdStrike incident will be the only one of its kind. Lucioli advises businesses to develop a cyber incident response plan that includes system failures.

“They should test their plan regularly with tabletop exercises and simulations then adjust their response where necessary,” she says. “Having a plan in place will also put them in a better position to obtain insurance cover.”

Emergence Insurance's Gonlin advocates a holistic approach to insurance.

“For example, we start by working with our clients to manage and reduce their risk,” he says.

“We then help them to transfer the remaining risk to a policy with broad enough cover and adequate limits. Buying cyber insurance with inadequate limits is an all-too-common mistake.”

Small businesses lacking insurance

While small businesses are less likely to run CrowdStrike and are therefore less likely to be directly affected by the outage, they’re also less likely to have any cyber insurance at all.

“There are a couple of million businesses in Australia and probably fewer than 100,000 with cyber policies in force,” says Gonlin.

“As digital technology continues to become more pervasive it’s vital to manage the risks that come with its use. We hope this event will serves as a wake-up call so we can start to address the huge problem of under-insurance.”

Giving the right advice

What should brokers tell their clients when an incident such as the CrowdStrike outage occurs? “Simply state the facts as you know them,” says Jeff Gonlin, head of Underwriting at Emergence Insurance. “This is a known event with a known fix. The key is to implement that fix expeditiously.”

Good communication is key:

• Keep your clients updated with regular, clear communications.
• Review their policies so you’re ready to explain their cover, what they need to do and what they can expect.
• When the issue has been resolved, work with your clients to review their level of protection.

Learn more about the latest liability trends in Australia