Business Insider has reported that customers affected by the recent CrowdStrike outage on July 19, which resulted in the Blue Screen of Death (BSOD), may only be eligible for a refund. Despite the widespread disruptions caused by CrowdStrike’s botched security update, the company’s terms and conditions limit their liability to the amount paid for the software. This means that businesses impacted by the outage may only be able to recover the cost of their CrowdStrike subscription, without compensation for lost revenue or damages unless they had negotiated a different contract beforehand.
Elizabeth Burgin Waller, chair of the Cybersecurity & Data Privacy practice at Woods Rogers, explained that CrowdStrike’s standard terms and conditions cap liability at the fees paid, restricting companies to claiming refunds even if they suffer significant business losses due to the outage. Larger companies, such as airlines or hospital chains, may have negotiated separate contracts with CrowdStrike that offer more protection, potentially holding the company accountable for a wider range of damages.
Many affected companies are turning to cyber insurance to cover the costs associated with the outage, including expenses related to installing the fix, lost productivity, addressing customer issues, and potential legal fees. Cyber insurance policies often cover contingent business interruption or dependent business interruption, allowing businesses to recoup damages from third-party cybersecurity companies they rely on, potentially including CrowdStrike’s Falcon software.
However, some cyber insurance policies may only cover situations involving malicious events like hacking, not software glitches. Waller predicts that legal challenges from shareholders, customers seeking greater compensation, and a possible investigation from the Securities and Exchange Commission (SEC) may be on the horizon for CrowdStrike. As a publicly traded company, CrowdStrike is required to file an 8-K report with the SEC detailing the cause of the Falcon update malfunction.
The recent ruling in favor of SolarWinds, another tech security company compromised in a cyberespionage campaign, against an SEC lawsuit provides some insight into how CrowdStrike might navigate potential legal challenges. While they have a responsibility to update investors and the public, they may not need to disclose every intricate detail.
In the midst of these developments, Australia’s Minister for Cyber Security, Clare O’Neil, has issued warnings about potential scams related to the CrowdStrike outage, urging Australians to be cautious of suspicious communications offering assistance. O’Neil emphasized the importance of protecting vulnerable individuals from scams and encouraged reporting any suspicious activities through Scamwatch.
Overall, the aftermath of the CrowdStrike outage continues to unfold, with potential legal battles, scrutiny from regulatory authorities, and ongoing efforts to restore systems and ensure the security of affected businesses and individuals. CrowdStrike and Microsoft are reportedly working on an automatic fix to the issue, which is expected to increase the speed at which systems across various sectors are back online.