CrowdStrike Outage: Companies Only Liable for Refunds, Reports Suggest
21 July 2024 at 10:33
Limited Liability in CrowdStrike's Terms & Conditions
CrowdStrike's terms and conditions limit the company's liability to the amount paid for the software. This means that businesses hit by the outage wouldn't be able to claim compensation for lost revenue or damages unless they negotiated a different contract beforehand. Elizabeth Burgin Waller, chair of the Cybersecurity & Data Privacy practice at Woods Rogers, told Business Insider that the standard terms and conditions for CrowdStrike's Falcon security software cap liability at "fees paid. This translates to companies only being able to recover the cost of their CrowdStrike subscription, even if they suffer significant business losses due to the outage. "Even if they covered lost revenue or downtime, they limit the recovery against CrowdStrike to fees paid," Waller told Business Insider. [caption id="attachment_83013" align="aligncenter" width="600"]![Crowdstrike outage refund](../themes/icons/grey.gif)
Large Companies May Have Different Agreements
Waller suggests that larger companies, such as airlines or hospital chains impacted by the outage, might have negotiated separate contracts with CrowdStrike that offer more protection. These contracts are not publicly available, but they could potentially hold CrowdStrike accountable for a wider range of damages. "If you're a huge company, you might have been able to get some negotiation around that," she said. CrowdStrike hasn't yet responded to inquiries about how it plans to enforce its terms and conditions in this situation.Cyber Insurance May Offer Relief
According to Waller, most companies will likely turn to cyber insurance to cover the costs associated with the CrowdStrike outage. These expenses include hiring IT personnel to install the fix, lost employee productivity, addressing customer issues, and potential legal fees for publicly traded companies. Many cyber insurance policies cover "contingent business interruption" or "dependent business interruption”, which allows businesses to recoup damages from third-party cybersecurity companies they rely on, potentially including CrowdStrike's Falcon software. [caption id="attachment_82972" align="aligncenter" width="1280"]![Crowdstrike outage refund](../themes/icons/grey.gif)
Potential Lawsuits and SEC Scrutiny for CrowdStrike
Waller predicts that CrowdStrike can expect legal challenges from shareholders, customers seeking greater compensation, and likely an investigation from the Securities and Exchange Commission (SEC). As a publicly traded company, CrowdStrike is obligated to file an 8-K report with the SEC within the next few days, detailing the cause of the Falcon update malfunction. Interestingly, this event comes just after a federal judge in Manhattan ruled in favor of SolarWinds, a tech security company compromised in a 2020 Russian cyberespionage campaign, against an SEC lawsuit. The SEC argued that SolarWinds failed to adequately inform investors and the public about the full extent of the hack's impact. However, Judge Paul Engelmayer disagreed, stating that the company wasn't required to provide the "maximum specificity" demanded by the SEC. This ruling offers some leeway for CrowdStrike, a $73 billion company. While they have a responsibility to update investors and the public, they might not need to disclose every intricate detail. "You need to convey the severity of what is happening, but we don't need to be really concerned about the nitty gritty details or what we don't know," Waller said.Australian Minister Warns of Scams
Meanwhile, Australia's Minister for Cyber Security, Clare O'Neil, issued a series of tweets urging Australians to be extremely cautious of any suspicious texts, calls, or emails claiming to assist with the CrowdStrike outage. O'Neil highlighted the importance of protecting vulnerable individuals, including elderly relatives, from potential scams. She encouraged reporting suspicious communications through Scamwatch. [caption id="attachment_83015" align="alignnone" width="748"]![CrowdStrike Outage Refund](../themes/icons/grey.gif)