New York subway travellers learned train information was not available due to the global technical outage on Friday there. Photo / Getty Images
Legal class actions seem a “real possibility” over global business and infrastructure losses during a routine but faulty securitysoftwareupdate by Crowdstrike, says New Zealand law firm Russell McVeagh.
In a note to clients about what is being called the largestIT outage in history, the firm said, given the nature and scale of the issues created, class actions seemed possible as losses from the Friday evening event crystallised.
“To the extent that contractual redress is limited, the viability of other claims (such as in negligence) may also be considered. Further, if any lack of readiness on the part of affected organisations exacerbated the scale or duration of the impact that the outage had on them, shareholder claims against those organisations, or their directors, are also a possibility,” the law firm said.
CrowdStrike, a Texas-headquartered company with more than 29,000 customers in 170 countries – including more than 50% of Fortune 500 companies and many government entities – at the time of the update had a market valuation of close to US$100 billion ($166b) and was reported to control around 18% of the multi-billion dollar global market for modern endpoint detection security software, Russell McVeagh told clients.
The faulty update was reported to have affected 8.5 million devices globally. Investigations into possible CrowdStrike federal securities laws violations on behalf of investors had been announced.
The event had highlighted the interconnectedness of global IT systems and the cascading impact a simple routine software update could have, it said.
“Effective security software requires regular (often daily) updates to keep pace with ever-evolving security threats. However, updates to software which have the ability to cause widespread disruption would ordinarily be tested thoroughly in ring-fenced and simulated test environments prior to deployment so that issues such as Friday’s ‘Blue Screen of Death’ can be identified and resolved prior to rollout to live customer environments.
“Whilst uncommon for more minor updates (which CrowdStrike may have considered Friday’s update to be), the impact of CrowdStrike’s update would also have been mitigated to a large extent if deployment had been staged, such that it was only rolled out to a small number of customers first, and then to a bigger group later.
“This would have allowed any issues to be identified, the update rolled back and any fault resolved before it could cause widespread damage”, the law firm said.
Questions may also be raised as to whether the large multi-national organisations most severely impacted by the outage had sufficiently robust contingency and continuity plans in place, and whether they were sufficiently prepared to implement them in response to an outage of this nature and scale.
What recourse would be available to affected organisations would depend on the details of the cause of the outage and what more could have been done to avoid it, the law firm said.
“The majority of customers will have contracted on supplier standard terms which typically provide minimal potential recourse for losses incurred as a result of outages of this nature. However, larger-scale organisations may have more contractual rights.
“For those who have been impacted via their supply chain (i.e. as a result of key suppliers who use the affected software), those agreements may be on more balanced and negotiated commercial terms, but the availability of recourse is again likely to depend on precisely what has occurred and why.”
As affected organisations mulled their options for recourse, insurance might provide a pathway, but not all those affected would hold cover for events of this nature, the firm said.
“Even those organisations with cyber insurance may find that cover is unavailable for loss caused by programming errors or, in any case, that limits are insufficient to cover the business interruption losses caused by Friday’s events.”
The firm said many commentators had suggested that if the economic and legal penalties for the disruption seen over the weekend remained minimal, companies would remain unmotivated to make fundamental changes.
“No doubt regulators and legislators the world over will be alive to the weekend’s events and considering options. Regulatory investigations will no doubt follow in some jurisdictions,” Russell McVeagh said.
“It remains to be seen whether the outage will cause legislators and regulators to consider whether additional legislation and/or regulation is required to mitigate against future widespread global crises of the nature seen over the weekend.”
The firm noted that in the UK, a new cyber security and resilience bill announced last week in a speech by King Charles sought to enforce more controls and improve infrastructure resilience in that country, with a view to avoiding issues of the nature and scale of the CrowdStrike crisis.
“We will watch with interest to see how the New Zealand Government and regulators in affected sectors... respond,” Russell McVeagh said.
“We expect that for many organisations the CrowdStrike update will refocus board and C-Suite attentions on cyber governance and incident response preparedness and planning, including to ensure that not only their own systems, but also their supply chain, are covered.”