Measuring the Impact of the CrowdStrike Incident
By Beth Burgin Waller
July 24, 2024
Beth Burgin Waller is a principal and leader of the Cybersecurity and Data Privacy Practice at Woods Rogers in Virginia. She works with businesses across industries to prepare for and, if necessary, respond in the wake of cyber incidents. She may be reached at [email protected].
Published in Today’s General Counsel, August/September 2024
On July 19, 2024, the world awoke to computers awash in bluescreens, caused by a single software update from the cybersecurity software provider CrowdStrike. Simultaneously, as multiple businesses across the globe reported serious and immediate outages to their own operations related to the CrowdStrike incident, a metaphorical bombshell exploded with possible legal implications.
Customer Claims Against CrowdStrike
As with any outage or downed operations, the relevant contracts between the impacted vendor and your business are the first place to turn. In this case, CrowdStrike publishes its standard terms and conditions online (https://www.crowdstrike.com/terms-conditions/). Some companies with sufficient leverage may have negotiated a variation of these standard terms or may, as is often common with software agreements, examine these issues through the lens of a labyrinth of purchase orders with then-live links.
Standard terms often have a limitation of liability clause, which will govern unless a court holds it unenforceable. The CrowdStrike terms state they are governed by California law and leave the venue for enforcement of the terms solely in the state and federal courts of Santa Clara County, California. The terms also state that neither party shall be liable for more than “an amount that exceeds the total fees paid or payable to CrowdStrike for the relevant offering during that offering’s subscription/order.” The terms also disclaim “lost profits, revenue, lost data, or special incidental, consequential, or punitive damages.”
Unless different terms were negotiated, any claims brought against CrowdStrike will be reviewed by a court in light of these provisions, which attempt to significantly block large-scale claims against CrowdStrike.
Shareholder Claims Against CrowdStrike
In the immediate aftermath of the CrowdStrike incident, plaintiffs’ firms began advertising that they were investigating claims on behalf of investors of CrowdStrike. Those claims must, of course, secure a class, and then a determination must be made as to whether there are damages that flow from the incident.
Impacted Businesses’ Claims Against Carriers
Also looming is the possibility that a business that experienced the CrowdStrike outage may seek redress from its own cyber insurance carrier. Those claims would be viewed under cyber insurance policy provisions related to contingent business interruption or dependent interruption. Each policy would need to be reviewed in its totality, just like a contract, examining the words and phrases used.
Already, though, the cyber insurance industry is gearing up for what will likely be years of fights over whether these provisions were intended to cover a simple software glitch versus a malicious event.
8K and Materiality
The day before the CrowdStrike incident, a U.S. district court issued a decision in the much-watched Securities Exchange Commission (SEC) lawsuit against SolarWinds and its Chief Information Security Officer for the company’s pre- and post-incident communications after its 2020 own cybersecurity incident. The cybersecurity industry closely watched the case as it placed pre- and post-incident public filings under a microscope with the SEC, and ultimately, the court.
In a decision on July 18, ironically the day before CrowdStrike’s incident, the court dismissed the majority of the lawsuit brought by the SEC. Relevant to the CrowdStrike matter, the court held that after an incident, a business does not need to issue an 8-K after a material incident with “maximal specificity” but rather with enough detail to “convey the general severity of the situation.”
On July 22, CrowdStrike issued its own brief 8K stating that it “released a sensor configuration update for our Falcon sensor software that resulted in outages for a number of our customers utilizing certain Windows systems (the “event”). The event was not caused by a cyberattack. We urgently mobilized teams to support the security and stability of our customers.”
CrowdStrike noted in its 8-K how the issue was identified within 78 minutes but then stated only that CrowdStrike “continues to work with impacted customers to fully restore their systems” by providing updates to its blog and that “this is an evolving situation, we continue to evaluate the impact of the event on our business and operations.”
Notably, and deep in the weeds of the nuances of securities laws, CrowdStrike filed its 8-K as an Item 8.01 versus Item 1.05. This may mean that CrowdStrike is arguing it has not yet made a “materiality” finding as to the incident or that it does not believe that the issue falls under the definition of “cybersecurity incident.”
Only time will tell whether CrowdStrike’s 8-K meets the SEC’s guidance, including that disclosures “consider the immediate fallout” and examine the “long-term effects on operations, finances, brand perception, and customer relationships” after an incident or the SolarWinds court’s requirement that an 8-K convey the severity of the situation. In the meantime, CrowdStrike’s CEO has been called to testify before Congress.
Must read intelligence for general counsel
Subscribe to the Daily Updates newsletter to be at the forefront of best practices and the latest legal news.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.