Digital resilience and the CrowdStrike outage: key considerations for business

On 19 July 2024, a bug in a software update deployed by endpoint protection and cyber-attack detection company CrowdStrike triggered a global IT outage, the scale of which was unprecedented. In Australia, the outage hit during a workday, with business leaders suggesting the financial impact topped A$1 billion.

While recovering financial losses was front of mind for many businesses in the immediate aftermath of the incident, it is the longer-term, ongoing implications of the outage that now beg closer attention from boards and executives, including the likelihood of increased scrutiny and oversight from both governments and regulators.

Currently, there is no one specific regulator of the IT industry in Australia as there is for other industries. IT vendors such as CrowdStrike must comply with generally applicable legislation, including the Australian Consumer Law (ACL) and the Privacy Act 1988 (Cth) (Privacy Act), but do not have sector-specific regulatory oversight.

For the Australian Government, cyber security has been a major priority, with the release of the 2023-2030 Australian Cyber Security Strategy late last year. The Government’s Security of Critical Infrastructure Act aims to protect businesses in outages caused by cyber incidents but it does not apply to general IT outages despite the impact the CrowdStrike outage had on Australia’s critical infrastructure.

Boards and executives should be keenly aware of any third-party systems that have the potential to impact on their business operations. Some industries are required to assess the risks posed by third-party technology vendors, including from a business continuity perspective. For example, the Australian Prudential Regulation Authority’s (APRA) CPS 230, which applies to APRA-regulated entities such as banks and insurers, requires that such entities:

• establish and maintain robust risk management frameworks;

• enhance board governance, accountability and oversight;

• assess and mitigate operational risks;

• develop effective business continuity management strategies; and

• strengthen arrangements with service providers.

CPS 230 will come into effect on 1 July 2025 and will replace five current APRA standards on outsourcing and business continuity management. In the wake of the CrowdStrike outage, ensuring that APRA-regulated entities address vulnerabilities in their management of operational risk such as the increasing reliance on service providers, ineffective software development controls and low disruption tolerance will no doubt be a key priority for regulators such as APRA.

Now that we’ve seen the impact that such vulnerabilities can have on the global economy, governments and regulators are likely to step up – with additional scrutiny on digital resilience being the logical next step. There have already been calls at the Federal Government level to ensure the resilience of digital technologies in Australia, with Shadow Digital Economy Minister Paul Fletcher calling for stronger and more confident regulation of the technology sector. Following the recent Optus mobile network outage, Minister for Communications The Hon Michelle Rowland MP has directed the Australian Communications and Media Authority to make enforceable industry standards to improve how telecommunications companies communicate with customers during major outages. While the directive is limited to telecommunications companies, this step demonstrates the Federal Government’s commitment to improving the digital resilience of the Australian economy.

Outside of Australia, however, there is no precedent for regulating digital resilience beyond the financial sector. Similarly to CPS 230, the European Union’s Digital Operational Resilience Act will aim to ensure the ‘operational resilience’ of banks and insurance companies and their information and communications technology service providers from January 2025.

Broader regulation of digital resilience therefore seems unlikely at this stage and, in our view, digital resilience is a subject matter that is best dealt with through prudent technology governance by appropriately skilled and well-advised boards and executives.

Ongoing digital resilience considerations for businesses

To ensure digital resilience and mitigate the risks posed by future IT outages in the longer term, businesses should carefully consider the following:

1. Agreements with IT vendors. For businesses reconsidering their contract terms going forward, it is unlikely that IT vendors will change their standard form liability positions. All businesses need to strike a reasonable balance between risk and reward for any given customer relationship. An IT vendor is unlikely to underwrite unlimited trading losses in return for a relatively modest subscription fee from a small customer. However, large government and corporate users may have the bargaining power to negotiate more favourable risk positions in contracts. Customers with a more modest spend may have the benefit of the statutory consumer guarantees under the ACL, which apply regardless of an IT vendor’s standard terms and can benefit businesses as well as individual consumers. Smaller customers may also have the benefit of the unfair contract terms regime, which applies under the ACL to standard form contracts where small businesses meet certain thresholds.
   
   
2. Technology governance. The CrowdStrike outage was caused by a coding update that went wrong and highlighted the dangers of poor IT and cyber security practices. Businesses are becoming focused on pushing out updates faster, particularly to address dynamic cyber threats, and reducing IT costs. It is also becoming increasingly common to use artificial intelligence to write software code. If businesses do not adopt safe coding practices, including proper software testing and phased rollouts, we may see more CrowdStrike-type outages in the future. Businesses should invest in sound technology governance that includes data redundancy measures and manual workarounds to ensure that the operational impacts of IT outages are mitigated.
   
   
3. Insurance arrangements. Businesses should also consider their insurance position, looking at whether their policies could cover loss arising from IT systems outages more generally – either through cyber insurance or business interruption insurance.
   
   
4. Class actions. CrowdStrike customers are required to agree to New York governing law and arbitration in Singapore. This largely foregoes access to Australian courts in the pursuit of legal remedies. By virtue of these arbitration clauses being embedded in the standard customer terms, a class action is likely to be challenging. Should CrowdStrike seek to enforce those agreements, any proceedings brought in Australia will be the subject of an application for a stay and for the parties to be referred to arbitration on an individual basis.

***

Regardless of their size, all businesses should undertake a holistic risk assessment of their technology environment. This includes:

• identifying which systems are likely to have a significant impact if affected by an outage;

• negotiating contract terms where possible to improve liability positions; and

• building redundancy into operations, processes and systems.