Some events teach us more than others. When cybersecurity vendor CrowdStrike pushed out an update to its Falcon scanning service early yesterday morning, it caused millions of computers around the world to crash in what has been deemed the “largest IT outage in history.” The outage will likely be viewed as a trigger for more cybersecurity regulation, a turning point for cybersecurity governance, and an impetus for changes to cyber insurance policies. Most importantly, these changes will not be the result of cybercriminal activity; instead, they will have been spurred on by one of the good guys.
Who is CrowdStrike and What Happened?
According to Reuters, CrowdStrike has about 29,000 customers in 170 countries. As one of leading cybersecurity vendors, its Falcon offering is a threat detection and response service that blocks detected malware or cyber-attacks. To do this, it connects to the most privileged areas of a client’s system. Almost immediately after CrowdStrike pushed out a Falcon content update, clients running Microsoft operating systems began to crash with the Blue Screen of Death, meaning the host became inoperable.
The incident starkly highlighted the interconnected nature of today’s business operations as computers failed in critical infrastructure sectors: hospitals and health care organizations, banks, railways, airlines, 911 and government agencies, among others. Even though CrowdStrike pulled back the update within 90 minutes, its effects carried on throughout the day. The consequences of the attack cascaded, and companies that were not CrowdStrike clients were impacted if one or more of their vendors (cloud providers, software or infrastructure providers, managed service providers, etc.) were affected. The vast number of companies and people affected was shocking, and business interruption losses are certain to be high.
What Can We Expect?
The CrowdStrike outage will serve as a wakeup call for companies, governments, and the tech industry and the lessons should not be forgotten.
The Outage Will Result in Regulation: We can expect legislators and regulators around the globe to conduct investigations, require notification of automatic updates to services like Falcon, and call for quality assurance standards, if not more. Although CrowdStrike has been careful to note that the update was not a software update, but a content update to its Falcon tool, that distinction will likely fall on deaf ears. The obvious question is: Was the content update tested before it was pushed out? Software updates have rigorous protocols and layers of approvals before a release. Cybersecurity experts are wondering how this update could have been adequately tested internally prior to its release, since it caused an immediate impact on client systems upon its release.
Cyber Governance Includes Incident Response: Nothing gets the attention of the C-suite or board like business interruption. We can expect companies to finally begin to understand that cyber governance means the board and senior executives need to be involved in cyber risk management and ensure that their systems are resilient, restorable, and their incident response plans include all vendors and are fully tested. Sherri Davidoff, CEO of LMG Security, noted that, “Most organizations were surprised that their incident response procedures failed today because their plans did not fully include all vendors or other security tools prevented them from automating the restoration process.” She added that, ““Fourth- and fifth- party risks have also become very real. Much of the damage was caused because key suppliers were down, since they were dependent upon CrowdStrike.”
Cyber governance also will become an issue if shareholder or securities class action suits are filed against CrowdStrike, raising the usual claims of failure to exercise proper oversight over the cybersecurity program or failure to properly inform investors of cyber risks associated with CrowdStrike’s operations. In fact, within hours of the incident, one of the leading plaintiff law firms in these matters, Pomerantz, issued a press release that it was investigating claims on behalf of investors of CrowdStrike.
Business Interruption Claims and Insurance Coverage Changes: We can expect that the organizations that incurred serious business interruption losses as a result of the outage are likely to look to CrowdStrike for reimbursement. After all, CrowdStrike’s CEO publicly stated shortly after the incident that, “Today was not a security or cyber incident.” CrowdStrike owned its responsibility for the outage. Plaintiff’s attorneys and risk managers likely will take note of that and try to hold CrowdStrike – and its clients – accountable for losses incurred or damages suffered due to the outage.
In turn, this could cause insurance carriers to review their policies to determine whether such third-party business interruption claims would be covered and under which policies (tech errors and omissions, cyber, corporate general liability, etc.). When carriers get nervous about broad coverage exposures, such as third-party liability, they often make wording changes to policies to protect against such claims in the future. Thus, companies will need to keep a careful eye on insurance wording with respect to cyber coverage in the full range of policies they purchase.
Looking Ahead
It is critical that we build on the lessons of the CrowdStrike outage. Post-mortems are an important component of incident response planning. LMG Security’s Davidoff notes that, “Every crisis is an opportunity; when the dust settles, everyone who was impacted should be sure to conduct a proper post-mortem analysis and learn from this impactful event.” The outage highlighted the importance of collaboration across industry sectors, public-private cooperation, and the need for global coordination on cyber incidents, whether cybercriminal or a human mistake.
If legislators and regulators begin meaningful dialogues with affected parties about the outage before clamoring for laws and regulations, if boards and senior management launch internal initiatives on cyber risk management, and if the lawyers and insurance carriers hold back to see what settles, the lessons learned may indeed prove to be beneficial rather than just another cyber event that goes on the list.