Navigating risk: lessons from the CrowdStrike outage

Posted: 19/08/2024

Whether you are an SME or a large organisation, establishing supply chain resilience is critical, as a business is only as strong as its weakest link.

CrowdStrike’s recent faulty technical update caused 8.5 million computers running Microsoft Windows to crash, grounding flights, taking broadcasters off the air and clogging up health systems. CrowdStrike claimed that the outage was caused by a bug in its content validator.

The CrowdStrike outage is reminiscent of another recent outage of major websites, including The New York Times, Amazon and The Guardian, which was also due to a bug, this time at cloud computing company, Fastly.

In both these cases, no third-party cyber-attacks were involved (at least not as far as we know). Both CrowdStrike and Fastly appear to have fallen over their own feet as a result of a failure of quality assurance around bug fixing and testing.

This article explores what can be done to prevent such failings, and how to deal with these issues if and when they arise, including the potential legal and regulatory challenges businesses may face, who they can hold liable, and how to claim reputational damages, along with strategies to mitigate these risks.

What can we do to prevent such failings in the future?

Organisations should have a register of all their third-party solution suppliers (this is no small task) and a clear view of which are their critical providers.

From a legal perspective, organisations should upgrade their critical supply agreements by applying an operational resilience lens to them. Absent specific sectoral legislation, it falls to the customer to contractually express the minimum levels of operational resilience required of a supplier.

Run joint incident simulations with critical suppliers to ensure both teams know how to collaborate and identify gaps in resilience, and are able to respond quickly to outages. These steps may not prevent outages in a supply chain, but they will put an organisation in a much stronger position to deal with them when they occur.

Mitigating the risks

Organisations should also ensure that they mitigate other risks which could arise from a software failure.

Legal liability
When a systems outage occurs, determining liability can be complex. Businesses may seek to hold the supplier liable for any damages incurred. This typically involves examining the terms of the supply agreement or contract. Key factors include:

Service level agreements (SLAs): these define the provider’s obligations and the remedies available in case of a breach. Businesses should ensure their SLAs include clear terms regarding uptime guarantees, response times, and compensation for service failures.
Negligence: if the provider failed to exercise reasonable care in delivering its services, it might be held liable for negligence. This requires proving that the provider’s actions or inactions directly caused the damages.
Breach of contract: if the provider fails to meet the contractual obligations, businesses can pursue a breach of contract claim. This involves demonstrating that the provider did not fulfil the agreed-upon terms.

Regulatory issues
Where outages are caused by cybersecurity incidents, these can trigger various regulatory challenges, depending on the jurisdiction and industry. Key regulatory issues include:

Data protection laws: regulations like the General Data Protection Regulation (GDPR) in the UK (which is implemented by the Data Protection Act 2018) and the EU, and the California Consumer Privacy Act (CCPA) in the US, impose strict requirements on data protection. A breach can lead to significant fines and legal actions.
Notification requirements: many jurisdictions require businesses to notify affected individuals and regulatory bodies in the event of a data breach – a report in the UK must be made to the Information Commissioner’s Office within 72 hours of any such breach. Failure to comply can result in penalties and damage to the business’s reputation.
Industry-specific regulations: certain industries, such as finance and healthcare, have additional regulatory requirements. For example, the Financial Conduct Authority in the UK regulates financial services firms and financial markets to ensure that they operate with integrity, protect consumers, and promote competition.

Reputational damages
Reputational damage can be one of the most significant consequences of systems failure, whatever the cause. To claim reputational damages, businesses need to:

Document the impact: collect evidence of the incident’s impact on their reputation, such as customer complaints, lost sales, and negative media coverage.
Quantify the loss: estimate the financial impact of the reputational damage, including lost revenue and increased marketing costs to rebuild the brand.
Legal action: pursue legal action against the responsible party, if applicable, to recover damages. This may involve proving that the incident directly caused the reputational harm.

Mitigation strategies
To mitigate the risks associated with far-reaching systems outages, businesses should adopt proactive measures:

Conduct regular risk assessments: identify potential vulnerabilities and assess the impact of disruptions. This helps prioritise resources and recovery efforts effectively.
Develop incident response plans: create and regularly update incident response plans to ensure a swift and effective response to cybersecurity incidents.
Invest in insurance: cyber insurance can provide financial protection against losses resulting from cybersecurity incidents, and professional indemnity insurance should assist in the case of home-grown failures; ensure third party suppliers also have appropriate insurance in place.
Implement robust security measures: regularly update and patch systems, conduct employee training, and use multi-factor authentication to enhance security.
Review third-party contracts: ensure that contracts with third-party providers include clear terms regarding liability, SLAs, and data protection obligations.

By understanding the legal and regulatory landscape and implementing robust mitigation strategies, businesses can better navigate the risks associated with network and systems incidents and protect their operations and reputation.

Fastly’s and CrowdStrike’s recent tribulations show the fragility of connected networks, and the importance of supply chain controls including quality assurance, as well as diversification of suppliers. It does not necessarily take a DDOS attack to cause huge outages. Cloud computing may give the perception of a distributed and decentralised service, but as Fastly and CrowdStrike have demonstrated, we still rely on a handful of large companies to run our digital and data infrastructure.

Return to news headlines