Legal fallout from the CrowdStrike outage: now and in the future

The CrowdStrike outage on 19 July 2024 had a devastating impact on businesses around the world. In Australia, where the outage hit during a workday, business leaders suggest the financial impact was over $1 billion.

CrowdStrike is a global cyber security company that provides businesses with endpoint protection and cyberattack detection. The cause of the outage was a bug in the software update. An IT outage of this scale is unprecedented and it may take many weeks and months for its impacts to be fully understood and appreciated.

In the wake of the outage, governments, regulators and businesses are now considering the ongoing commercial and legal implications.

In the short term, there are immediate considerations to determine if and how businesses might recover financial losses that were caused by lost sales and revenue due to an inability to trade and employing additional staff to reboot IT systems. In the longer term, businesses are considering the need to reassess their procurement processes, their agreements with IT vendors and their insurance arrangements to mitigate risk in the future. Businesses may also face further regulatory scrutiny when engaging third-party vendors.

More broadly, where technology is evolving rapidly and the speed of updates and cost reduction are top priorities, as a society, we need to consider the role of governments and regulators and how they could play a role in protecting businesses from future outages and ensure Australia’s digital resilience.

Immediate legal implications from the CrowdStrike outage

For Australian businesses looking to recover losses from the CrowdStrike outage, there are two immediate legal considerations:

• their liability arrangements and the recovery of losses from CrowdStrike as their IT vendor; and
  
  
• insurance implications and whether their cyber policy or business interruption policy would apply in this scenario.

However, Australian businesses face challenges before they can extract compensation for losses.

Statutory consumer guarantees

CrowdStrike’s standard terms provide very limited warranties, limit CrowdStrike’s liability for contractual breaches to a refund of fees paid by the customer and exclude liability for loss of revenue and other consequential losses.

Some customers will have negotiated better liability arrangements with CrowdStrike, but for many customers, their best avenue of recovery may be under the Australian Consumer Law (ACL).

Statutory consumer guarantees are available to Australian businesses in certain circumstances and, in particular, where the goods or services purchased are valued at $100,000 or less. These include a guarantee that any services will be provided with due care and skill. This guarantee may be breached in circumstances where an IT vendor introduces coding errors into a software update or fails to properly test the update before deploying it onto its customer's IT systems. A business may recover its “reasonably foreseeable losses” as a result of a "major failure" by a vendor to comply with a statutory consumer guarantee. In certain circumstances, this may include trading and other financial losses.

Insurance arrangements

Businesses affected by the CrowdStrike outage should also carefully check their insurance position. Business interruption insurance is unlikely to respond as it relates to damage to physical plant and equipment through defined acts. However, businesses should also check the terms of their cyber insurance policy. While CrowdStrike stated that this incident was not caused by a malicious third-party actor, some cyber insurance policies also cover loss arising from IT system outages more generally.

Class actions

CrowdStrike customers are required to agree to New York governing law and arbitration in Singapore. This largely foregoes access to Australian courts in the pursuit of legal remedies.

By virtue of these arbitration clauses being embedded in the standard customer terms, a class action is likely to be challenging. Should CrowdStrike seek to enforce those agreements, any proceedings brought in Australia will be the subject of an application for a stay and for the parties to be referred to arbitration on an individual basis.

Long-term lessons for businesses

The CrowdStrike outage was caused by a coding update that went wrong. This incident highlights the dangers of poor IT and cyber security practices. Businesses are becoming focused on pushing out updates faster, particularly to address dynamic cyber threats, and reducing IT costs. It is also becoming increasingly common to use artificial intelligence to write software code.

If businesses do not adopt safe coding practices, including proper software testing and phased rollouts, we may see more CrowdStrike-type outages in the future. Businesses should invest in sound technology governance that includes data redundancy measures and manual workarounds to ensure that the operational impacts of IT outages are mitigated.

For businesses reconsidering their contract terms going forward, it is unlikely that IT vendors will change their standard form liability positions. All businesses need to strike a reasonable balance between risk and reward for any given customer relationship. An IT vendor is unlikely to underwrite unlimited trading losses in return for a relatively modest subscription fee from a small customer. However, large government and corporate users may have the bargaining power to negotiate more favourable risk positions in contracts.

As mentioned above, customers with a more modest spend may have the benefit of the statutory consumer guarantees under the ACL, which apply regardless of an IT vendor’s standard terms and can benefit businesses as well as individual consumers. Smaller customers may also have the benefit of the ‘unfair contract terms’ regime, which applies under the ACL to standard form contracts where small businesses meet certain thresholds.

Regardless of their size, our advice to all businesses is to undertake a holistic risk assessment of their technology environment. This includes:

• identifying which systems are likely to have a significant impact if affected by an outage;
  
  
• negotiating contract terms where possible to improve liability positions; and
  
  
• building in redundancy into operations, processes and systems.

Businesses should also consider their insurance position, looking at whether their policies could cover loss arising from IT systems outages more generally – either through cyber insurance or business interruption insurance.

Increased regulatory oversight?

Currently, there is no one specific regulator of the IT industry in Australia as there is for other industries. IT vendors such as CrowdStrike must comply with generally applicable legislation, including the ACL and the Privacy Act, but do not have sector-specific regulatory oversight.

For the Australian Government, cyber security has been a major priority, with the release of the 2023-2030 Australian Cyber Security Strategy late last year. The Government’s Security of Critical Infrastructure Act aims to protect businesses in outages caused by cyber incidents but it does not apply to general IT outages despite the impact the outage had on Australia’s critical infrastructure. It will be interesting to see if the Government seeks to extend the scope of the legislation to cover ‘digital resilience’ more broadly.

Boards and executives should be keenly aware of any third-party systems that have the potential to impact on their business operations. Some industries are required to assess the risks posed by third-party technology vendors, including from a business continuity perspective. For example, APRA’s CPS 230, which applies to APRA-regulated entities such as banks and insurers, requires that such entities:

• establish and maintain robust risk management frameworks;

• enhance board governance, accountability and oversight;

• assess and mitigate operational risks;

• develop effective business continuity management strategies; and

• strengthen arrangements with service providers.

CPS 230 will come into effect on 1 July 2025 and will replace five current APRA standards on outsourcing and business continuity management. In the wake of the CrowdStrike outage, ensuring that APRA-regulated entities address vulnerabilities in their management of operational risk such as the increasing reliance on service providers, ineffective software development controls and low disruption tolerance will no doubt be a key priority for regulators such as APRA. 

Now that we’ve seen the impact that such vulnerabilities can have on the global economy, governments and regulators are likely to step up – with additional scrutiny on digital resilience being the logical next step.