Measuring the Impact of the CrowdStrike Incident

On July 19, 2024, the world awoke to computers awash in bluescreens, caused by a single software update from the cybersecurity software provider CrowdStrike. Simultaneously, as multiple businesses across the globe reported serious and immediate outages to their own operations related to the CrowdStrike incident, a metaphorical bombshell exploded with possible legal implications. 

Customer Claims Against CrowdStrike 

As with any outage or downed operations, the relevant contracts between the impacted vendor and your business are the first place to turn. In this case, CrowdStrike publishes its standard terms and conditions online (https://www.crowdstrike.com/terms-conditions/). Some companies with sufficient leverage may have negotiated a variation of these standard terms or may, as is often common with software agreements, examine these issues through the lens of a labyrinth of purchase orders with then-live links. 

Standard terms often have a limitation of liability clause, which will govern unless a court holds it unenforceable. The CrowdStrike terms state they are governed by California law and leave the venue for enforcement of the terms solely in the state and federal courts of Santa Clara County, California. The terms also state that neither party shall be liable for more than “an amount that exceeds the total fees paid or payable to CrowdStrike for the relevant offering during that offering’s subscription/order.” The terms also disclaim “lost profits, revenue, lost data, or special incidental, consequential, or punitive damages.” 

Unless different terms were negotiated, any claims brought against CrowdStrike will be reviewed by a court in light of these provisions, which attempt to significantly block large-scale claims against CrowdStrike.

Shareholder Claims Against CrowdStrike

In the immediate aftermath of the CrowdStrike incident, plaintiffs’ firms began advertising that they were investigating claims on behalf of investors of CrowdStrike. Those claims must, of course, secure a class, and then a determination must be made as to whether there are damages that flow from the incident. 

Impacted Businesses’ Claims Against Carriers 

Also looming is the possibility that a business that experienced the CrowdStrike outage may seek redress from its own cyber insurance carrier. Those claims would be viewed under cyber insurance policy provisions related to contingent business interruption or dependent interruption. Each policy would need to be reviewed in its totality, just like a contract, examining the words and phrases used. 

Already, though, the cyber insurance industry is gearing up for what will likely be years of fights over whether these provisions were intended to cover a simple software glitch versus a malicious event.

8K and Materiality 

The day before the CrowdStrike incident, a U.S. district court issued a decision in the much-watched Securities Exchange Commission (SEC) lawsuit against SolarWinds and its Chief Information Security Officer for the company’s pre- and post-incident communications after its 2020 own cybersecurity incident. The cybersecurity industry closely watched the case as it placed pre- and post-incident public filings under a microscope with the SEC, and ultimately, the court. 

In a decision on July 18, ironically the day before CrowdStrike’s incident, the court dismissed the majority of the lawsuit brought by the SEC. Relevant to the CrowdStrike matter, the court held that after an incident, a business does not need to issue an 8-K after a material incident with “maximal specificity” but rather with enough detail to “convey the general severity of the situation.”

On July 22, CrowdStrike issued its own brief 8K stating that it “released a sensor configuration update for our Falcon sensor software that resulted in outages for a number of our customers utilizing certain Windows systems (the “event”). The event was not caused by a cyberattack. We urgently mobilized teams to support the security and stability of our customers.” 

CrowdStrike noted in its 8-K how the issue was identified within 78 minutes but then stated only that CrowdStrike “continues to work with impacted customers to fully restore their systems” by providing updates to its blog and that “this is an evolving situation, we continue to evaluate the impact of the event on our business and operations.”

Notably, and deep in the weeds of the nuances of securities laws, CrowdStrike filed its 8-K as an Item 8.01 versus Item 1.05.  This may mean that CrowdStrike is arguing it has not yet made a “materiality” finding as to the incident or that it does not believe that the issue falls under the definition of “cybersecurity incident.”

Only time will tell whether CrowdStrike’s 8-K meets the SEC’s guidance, including that disclosures “consider the immediate fallout” and examine the “long-term effects on operations, finances, brand perception, and customer relationships” after an incident or the SolarWinds court’s requirement that an 8-K convey the severity of the situation.  In the meantime, CrowdStrike’s CEO has been called to testify before Congress.