From Blue Screens to Red Alerts: Initial Lessons to Be Learned from the CrowdStrike Outage
by Gregory S. Mantych (Partner) and Ana Y. Surace (Associate)
Introduction
Whether your vacation was canceled or delayed, your business ground to a halt, or – perish the thought – your mobile Starbucks order wouldn’t go through, the July 2024 CrowdStrike outage impacted everyone from the largest corporations to the single individual, the fallout ranged from massive financial losses to sheer annoyance. The incident was a painful reminder of the interconnected dependencies at the core of our current global digital infrastructure and that one broken link in the chain, even if for a brief moment, can have a cascading effect with no quarter given for international borders or time of day.
While the repercussions of the outage and the lessons learned will continue to unfold across several industries, there are some initial consequences apparent for the insurance sector (cyber insurance specifically, but not exclusively) which are worth studying both immediately but also in general as this landscape responds and evolves.
What Happened and How?
Founded in 2011, CrowdStrike is a Texas-based company offering cloud-based cybersecurity solutions to businesses across the globe and specifically focusing on endpoint protection which provides a series of antivirus and security services aimed at protecting endpoints (i.e. computers, laptops, mobile phones, servers, etc.) that are connected to a network. Those services include threat detection and investigation, data leak prevention, and network administration. With approximately 29,000 customers – including 60% of Fortune 500 companies – the company operates in numerous industries including, but not limited to airlines, banking, and media, with an industry-leading estimated market share of 15%-25% among large companies and $3.06 billion in revenue for the 2024 fiscal year.[1]
On July 19, 2024, operating business as usual, CrowdStrike apparently unintentionally pushed out a flawed update to its Falcon sensor software, causing a historic, global computer system outage. The faulty update impacted computers running the Windows operating system and CrowdStrike software which, in essence, prevented any affected machine from booting up. CrowdStrike’s Preliminary Post Incident Review, published on July 24, 2024, explains that the outage was essentially caused by a bug in one of their quality-control tools used to check system updates for mistakes. The company failed to detect the mistake, and once the faulty update was deployed, Windows systems running the software crashed.[2] According to security experts, the scale of the July 2024 CrowdStrike outage was compounded by the fact that CrowdStrike’s cybersecurity software has access to the most fundamental elements of an operating system to protect against cyberattacks.[3]
The scope of the outage was vast, impacting hospitals, banks, courts, and other companies experienced major disruptions as an estimated 8.5 million Microsoft-enabled devices were immobilized and left with the dreaded “Blue Screen of Death.”[4] According to one analysis,[5] the CrowdStrike outage impacted 674,620 direct enterprise customers of either Microsoft or CrowdStrike, with 41% of those in the U.S. and another 27% in Europe. Aon believes that the incident will become “the most important” cyber insurance loss event since the NotPetya malware attacks of 2017, and industry experts fear that losses could run north of $5 billion.[6]
CrowdStrike quickly released steps on how to remedy any impacted system, and it was ostensibly simple: reboot the machine in Safe Mode and delete the specific problematic file. But the reality is that every affected machine needed to be fixed manually and individually, and – even assuming no issues with that process – the “fix” proved in many cases to be an arduous undertaking.
Impact to Businesses
The majority of CrowdStrike’s customers for the endpoint-protection category fall in the medium to large sized enterprise space with a predominance in the IT, financial services, and healthcare sectors.[7] The healthcare and banking sectors were the hardest hit by CrowdStrike’s mishap, with estimated losses of $1.94 billion and $1.15 billion, according to Parametrix, the cloud monitoring and insurance firm. [8] At the end of the day, Parametrix estimates that the outage may cost Fortune 500 companies as much as $5.4 billion in revenues and gross profit, not counting any secondary losses that may be attributed to lost productivity or reputational damage. Only a small portion, around 10% to 20%, may be covered by cybersecurity insurance policies per the initial impact analysis.
While the “fix” was reportedly somewhat easy to deploy for most customers, some – like Delta Airlines – struggled mightily to return to normalcy after the outage. Five days after the initial incident, Delta was still canceling flights, reimbursing customers, and facing investigations from the Department of Transportation. Exacerbating the recovery struggles was the fact that Delta’s IT teams needed to manually repair and reboot each of the affected systems, with additional time then needed for applications to synchronize and start communicating with each other.[9] Delta’s estimated losses alone are approximately $500 million, and its share price dropped 25% in the week after the incident, with billions of lost market cap.
Factors that May Impact Loss and Severity
Given the breadth and severity of the disruption, the likelihood that the experience of an impacted entity could translate into an insured loss can, in part, be gauged by 1) the real-time footprint of the services, and 2) the necessary “uptime” (i.e. accessibility) necessary. In this regard, it tracks that there would be an outsized impact to companies in the IT, healthcare, banking, and aviation sectors. These are companies that provide often necessary and critical services and whose access is usually required virtually around the clock (high uptime). While by no means immune, some smaller businesses that may operate in less time-critical industries could have experienced but quickly solved the issue without significant financial loss.
However, there is a double-edged sword to a smaller company’s apparent resilience. The fix was straightforward but needed to be manually deployed computer-by-computer with no system-wide or universal solution rollout. This could translate into hands-on work spanning several days if not longer. Many small businesses lack the resources or expertise to address that issue efficiently, and several rely on third-party providers who were undoubtedly overwhelmed. While more susceptible, larger companies typically have greater resources (expert on-site IT employees, if not entire departments) that can be dispatched en masse to address the incident. Still, some large businesses like Delta are spread so far and wide that deploying the fix quickly was not practical. Given that even a short disruption can wreak havoc with an airline, with equipment and staff spread wide and intended to be constantly moving, each hour of disruption can exacerbate the recovery time increase a loss exponentially.
Sources of Recovering Losses
While CrowdStrike’s Preliminary Post Incident Review outlines preventative steps it will take to avoid a repeat of the incident, the company’s reputation is on the line, and it will need more than $10 UberEats gift cards to make things right.[10] All in all, this disaster will likely haunt CrowdStrike for the foreseeable future.[11] And the company’s lawyers should expect to be busy for some time.
An understandable impulse is questioning how impacted entities will be able to recover from CrowdStrike directly, but that may be a tougher row to hoe than one assumes. Hurdles may include specific contractual language and the nature of any potential loss.
CrowdStrike’s terms and conditions[12] limit their liability to “fees paid” in the event an affected business asserts a claim for damage or lost revenue. While it’s possible that larger clients negotiated more favorable terms, the standard terms and conditions appear to provide CrowdStrike with some insulation here from potential claims. That kind of language may not limit some customers – especially those that sustained losses unrecoverable from other sources such as their own insurance – from making claims. Further, the filing of one lawsuit by one customer could lead to an avalanche of claims from many more of CrowdStrike’s 29,000 customers.
Non-customers that were indirectly impacted may also be considering claims. Lawyers are undoubtedly already busy recruiting potential class members for forthcoming litigation, but that path is also hampered by some obstacles. Consumers that were individually impacted (e.g. travel interruption, banking issues) may have difficulty pursing a direct claim against CrowdStrike because they have no contractual relationship directly with the company. The variety of damages suffered by individuals would also make a consumer class action difficult to certify. However, if non-customers pursued claims against CrowdStrike’s customers, CrowdStrike could be brought in as a third-party defendant in any action.
If history has proven anything, it’s that the plaintiffs’ bar will doggedly pursue any paths available– especially here where potential damages are in the billions – but it’s likely that impacted businesses will first look to their own cyber insurance as their source of recovery.
What Will Cyber Insurers Do?
When – not if – there are policyholders that turn to their cyber insurer for recovery, there will likely not be a one-size-fits-all response. Cyber policies and the surrounding market have coalesced on the types of risks to be covered but the coverage language may still vary. Carriers offer different wordings, and different policyholders purchase different types of coverage depending on their size and needs. And the specific peculiarity of this incident itself may test some of those varying coverages. So when approaching coverage, the age-old legal maxim “it depends” still applies, and each claim will need to be assessed individually in the context of the specific policy language.
Despite some variations in these terms, there are some standard types of coverage that would be implicated first under this scenario. These include any system failure or business interruption language. Some differences in language could affect the size and type of recovery. Minimum waiting periods before business interruption coverage is triggered are often 8-12 hours, but larger entities could have waiting periods up to 24 hours. Depending on the details and timing of any outage and response, the specific waiting period should be evaluated and may stem the impact to certain policies. Other policies exclude or at least differentiate between malicious and non-malicious events. While the CrowdStrike incident may have the “feel” of other systemic outages perpetrated by threat actors[13], the root cause was a flawed but innocent system update from a trusted software vendor, and that is a key difference to consider depending on whether a policy makes a distinction between malicious vs. non-malicious acts. Contingent business interruption and contingent extra expense coverage is also potentially relevant as it appears there was substantial impact felt “downstream.”. It is common to see those terms purchased as part of an extension of coverage, and, even if purchased, may vary (e.g. malicious vs. non-malicious).
Losses also may include extra and out of pocket expenses related to extra staffing and hours, additional IT remediation, legal services to prepare necessary regulatory filings and potential reputational challenges all of which could drive additional loss amounts.
Insurance Implications Beyond Cyber
Claims also may not be limited to cyber insurance. Directors & Officers policies may be exposed. Significant stock price drops for companies impacted by the incident may invite securities class action litigation, and shortcomings in the adequacy and timeliness of a company’s response to the incident may lead to shareholder derivative suits alleging breaches of fiduciary duty or inquiries from agencies questioning a company’s operational resilience, especially in the heavily regulated industries which appeared to have the most public impact (banking, aviation). There will also likely be lagging securities claims from investors alleging that disclosure of the impact of the incident was inadequate or otherwise lacking. Already, at least half a dozen law firms posted notices soliciting participants in class action securities lawsuits. These included Pomerantz LLP[14] and Bronstein, Gewirtz & Grossman, LLC[15], both securities class action plaintiffs’ firms. Plaintiffs’ attorneys likely smell blood in the water, even if they don’t know from which direction the blood is coming.
This is all in addition to specific insurance products which will certainly be pursued including travel and event cancellation coverages.
What Happens to CrowdStrike?
Despite some of the limits of recovery noted above, CrowdStrike is unlikely to escape unscathed. In addition to any reputational stigma now associated with the company, claims from CrowdStrike’s investors could reasonably lead to a securities class action. CrowdStrike’s stock has dropped almost 25% since the outage, falling from a share price of $345 on July 18, 2024 to approximately $255 on July 26, 2024 (one week after the initial outage). This is in addition to potential derivative actions against CrowdStrike’s board for breaches of fiduciary duties.
The US House of Representatives Homeland Security Committee has sent a letter to CrowdStrike CEO George Kurtz asking him to testify before Congress. Regulatory agencies, including the SEC, will likely be making inquiries. Although, as luck may have it, on July 18, 2024, the day before the CrowdStrike outage, a federal court dismissed several claims the SEC filed against SolarWinds arising from the company’s disclosures about the software company’s cybersecurity practices surrounding a similar (but in many aspects distinguishable) 2020 incident[16]. The SEC alleged SolarWinds didn’t sufficiently update investors and the public about the massive scope of the fallout from a Russian cyberattack. US District Judge Paul Engelmayer ruled that the company was not required to provide the “maximum specificity” the SEC demanded.
Developments surrounding the direct impact to CrowdStrike remain to be seen and specific details about CrowdStrike’s financials and insurance coverage are currently unknown (a Form 8-K filed with the SEC on July 19, 2024 is devoid of that information beyond a brief description of the outage[17]).
Where Do We Go From Here?
The inescapable reality made painfully evident by the CrowdStrike outage is that a large percentage of organizations connect to the same digital backbone, and a single failure can lead to ripples – big or small – felt through the entire chain. While that is a fact of the modern economy, and cybersecurity professionals will certainly attempt to address the exposure in this single-point-of-failure structure, the insurance industry will respond by adjusting itself accordingly. Insurers will continue to refine their approach to inevitable risks in this complex and global network, where a Jenga block pulled from too low and precarious of a position can resonate throughout the international economy.
Notably, the frequency of these systemic events is relatively low so there is a limited data set of historical claims; this case illustrates, in part, that the potential severity can be disastrous. The “How?”, “What?”, and “Why?” of each incident is just unique enough that past events may not necessarily be indicative of future risks. This is notwithstanding the nature of the digital landscape, ever-evolving and always dynamic.
Many questions will be asked and answered once the full financial impact of the outage is tallied over the coming months. While often learned the hard way, incidents such as this do serve to further develop the conversation surrounding the legal and insurance implications in our modern world. But that is of little comfort at the moment for companies coming back online or customers recovering from their disrupted summer travel plans and their canceled Orange Mocha Frappuccinos.
2 https://www.forbes.com/sites/kateoflahertyuk/2024/07/24/crowdstrike-reveals-new-details-about-what-caused-windows-outage/; https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
3 https://www.wsj.com/tech/crowdstrike-cybersecurity-software-global-it-outage-3ca536f6
4 https://www.reuters.com/breakingviews/crowdstrike-cursed-grip-corporate-klutz-club-2024-07-24/.
6 https://www.insurancejournal.com/news/international/2024/07/24/785285.htm
7 https://6sense.com/tech/endpoint-protection/crowdstrike-market-share
9 https://www.businessinsider.com/delta-is-manually-resetting-systems-affected-by-the-it-outage-2024-7
10 https://www.fastcompany.com/91162328/crowdstrike-offers-10-uber-eats-gift-cards-as-an-apology-for-the-outage; https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/.
11 https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub
12 https://www.crowdstrike.com/terms-conditions
13 See e.g. SolarWinds cyberattack in 2020 (https://www.wsj.com/articles/suspected-russian-cyberattack-began-with-a-little-known-but-ubiquitous-software-company-11608036495?mod=article_relatedinline)
14 https://pomlaw.com/recent-case-form?type=investigative&company=CRWD
17 https://ir.crowdstrike.com/static-files/886cd134-7556-41b0-a234-716de3425888