Costs From Global Outage Could Exceed $1B – But Determining Liability is Complex

The world quickly learned that cybersecurity firm CrowdStrike was responsible for a crippling global tech outage on Friday. However, determining who will cover the cost of the damages might take significantly longer.

What one cybersecurity expert described as possibly the “largest IT outage in history” resulted in the cancellation of over 5,000 commercial airline flights worldwide and disrupted businesses from retail sales to package deliveries to hospital procedures, incurring losses in revenue, staff time, and productivity.

The issue stemmed from faulty code in CrowdStrike’s software “content update.” Unfortunately, rectifying the error proved far more time-consuming than causing it, and it could be days before all systems return to normal.

In a social media post late Sunday, CrowdStrike stated that a “significant number” of the approximately 8.5 million affected devices were back online and operational. They also issued another apology for the disruption.

While CrowdStrike has apologised, they have not indicated whether they plan to compensate affected customers. When questioned by CNN regarding potential compensation, their response did not address the matter.

Experts anticipate demands for remuneration and potentially lawsuits.

“If you’re a lawyer for CrowdStrike, you’re probably not going to enjoy the rest of your summer,” said Dan Ives, a tech analyst for Wedbush Securities.

Experts largely agree it’s too early to accurately estimate the financial impact of Friday’s global internet breakdown. However, costs could easily exceed $1 billion, said Patrick Anderson, CEO of Anderson Economic Group, a Michigan research firm specialising in estimating the economic cost of events like strikes and other business disruptions.

His firm estimates that a recent hack of CDK Global, a software firm serving US car dealerships, reached that $1 billion mark. Although that outage lasted much longer, about three weeks, it was confined to a single industry.

“This outage is affecting far more consumers and businesses, ranging from inconvenience to serious disruptions, resulting in out-of-pocket costs they can’t easily recover,” he said.

Anderson added that the costs could be particularly significant for airlines, due to lost revenue from cancelled flights and additional labour and fuel costs for the planes that did fly but faced significant delays.

Despite CrowdStrike’s prominence in the cybersecurity field, their annual revenue is just under $4 billion.

However, there may be legal protections for CrowdStrike in their customer contracts that shield them from liability, according to one expert.

“I would guess that the contracts protect them,” said James Lewis, a researcher at the Center for Strategic and International Studies.

Lewis referenced a recent case decided in favour of SolarWinds, another software company. A judge dismissed Securities and Exchange Commission charges against SolarWinds related to a Russian hack of federal government agencies in late 2020.

Lewis noted that in that case, SolarWinds faced charges for not disclosing its system’s vulnerabilities to an outside hack, not for damage caused by their own actions. Nonetheless, they won a dismissal.

Businesses affected by the outage are likely to find that traditional business interruption insurance won’t cover their losses, said Mark Friedlander, spokesman for the Insurance Information Institute.
Such policies typically require some form of physical damage to the business property for claims to be paid.

There is a separate policy for computer outages, known as Business Network Interruption policies, which might cover claims.

However, these policies sometimes only cover malicious hacks and exclude non-malicious computer issues like this one, he said.

Will Customers Stay?

It’s also unclear how many customers CrowdStrike might lose due to Friday’s incident.
Wedbush Securities’ Ives estimates less than 5% of its customers might switch to other providers.
“They’re such an entrenched player, moving away from CrowdStrike would be a gamble,” he said.

It will be challenging and costly for many customers to switch from CrowdStrike to a competitor. However, the real damage to CrowdStrike could be reputational, making it difficult to attract new customers.

“Today CrowdStrike becomes a household name, but not in a good way, and this will take time to settle down,” Ives said.

CrowdStrike CEO George Kurtz stated in an interview on Friday morning on CNBC that the firm has been focused on resolving the ongoing issues and that so far, he believes most customers have been understanding.

“My goal right now is to make sure every customer is back up and running,” he said. “I think many customers understand it’s a complex environment and staying one step ahead of the bad guys requires these content updates.”

Even if customers are understanding, it’s likely that CrowdStrike’s competitors will try to exploit Friday’s events to lure customers away.

“It’s a very competitive business. There will be salespeople from all the other companies saying, ‘This has never happened to us,’” said Eric O’Neill, a cybersecurity expert and former FBI counterintelligence operative.

“They’re an excellent company doing important work. I hope they survive this. If they don’t, the only winner will be the cybercriminals.”

For any enquiries or information, contact ask@tlr.ae or call us on +971 52 644 3004. Follow The Law Reporters on WhatsApp Channels.