The aftermath of the global computer system outage
“The blue screen of death” – this is what around 8.5 million computer users across the globe were faced with on Friday 19 July 2024.
Panic quickly ensued as systems went down, impacting businesses of all shapes and sizes from SMEs to the big end of town – large retailers, banks, airlines, healthcare providers, and media outlets.
Initially thought to be a hack, it soon transpired that it was a glitch in a software update for Microsoft Windows users issued by cybersecurity firm CrowdStrike.
What happened
Based in Austin, Texas, CrowdStrike is a cybersecurity company that provides endpoint security, threat intelligence and cyberattack response services to a wide range of customers globally.
One of its offerings is the Falcon endpoint detection and response platform. The Falcon Sensor product is designed to detect malicious threats at a computer system’s endpoints. The platform is used by millions of businesses around the world and is particularly popular among large corporates.
On 19 July 2024, the company deployed an automatic update for Falcon’s Rapid Response Content. A line of code in the software update was incompatible with the Microsoft operating system, resulting in a Windows operating system crash – the blue screen of death. Every machine running Sensor version 7.11 and above and online between 04:09 UTC and 05:27 UTC (when the update was reverted) was struck.
The code misconfiguration caused an outage that affected around 8.5 million Windows 10 PCs – about 1% of all Microsoft users.
Although a fix was issued within 90 minutes, the issues continued to impact organisations for much longer, as devices needed to be repaired manually.
It was a small software flaw caused by human error. But the repercussions were large-scale.
Impact on businesses
With systems unresponsive, the operations of many businesses were interrupted, including providers of critical services – airlines were grounded (over 3,000 flights were cancelled, and 23,900 flights were delayed), banking systems like ‘tap and go’ went offline causing supermarkets and other retailers to close, and medical systems were unable to process patients.
In some cases, businesses had to switch back to manual systems before the glitch was remedied (which involved starting the computer in ‘safe’ mode and then removing the faulty file).
APAC and EMEA businesses were more affected as the outage occurred during work hours. In the Americas, resolving the issue often required physical access to machines or a recovery key.
Several industry experts have described the CrowdStrike outage as the largest cyber loss event since the NotPetya attacks in June 2017 (which used a form of ransomware called Petya and exploited vulnerabilities in computers around the world – resulting in an estimated US$4-10 billion in damage).
A week after the incident, CrowdStrike’s CEO said that 97% of Windows sensors were back online. And impacted businesses were left to tally the cost of the outage.
Millions of businesses had their operations interrupted, resulting in financial losses. The global outage is thought to have cost Fortune 500 companies up to US$5.4 billion, according to cloud and supply chain insurer Parametrix.
The incident not only affected CrowdStrike’s customers but also extended through third-party networks. Businesses that relied upon suppliers and other businesses which used the platform also suffered losses of revenue and, in some instances, incurred liabilities to their counterparties when they were unable to deliver on their obligations.
The fallout
In the wake of the event, CrowdStrike’s share price fell substantially given the likely significant liabilities the company would face for the losses suffered, as well as the probable loss of business and revenue.
The cybersecurity firm is also facing multiple lawsuits and legal action in various forms.
A class action by CrowdStrike’s own shareholders has been brought. The Plymouth County Retirement Association’s class action alleges that CrowdStrike “repeatedly touted the efficacy of the Falcon platform while assuring investors that CrowdStrike’s technology was ‘validated, tested, and certified’”. The complaint alleges that these claims were “false and misleading” as the company had failed to disclose that its internal controls were “deficient”, leading to the global outage and reputational loss and that, as a result, “CrowdStrike stock traded at artificially high prices”.
Delta Airlines has also looked at legal action to recover costs and losses. The CrowdStrike outage cost Delta anywhere up to US$500 million, and the airline – whose operations were severely disrupted during the incident – is facing an investigation by the US Department of Transportation. Passengers of the airline have also filed a suit against CrowdStrike.
In addition, senior CrowdStrike executives have been required to appear before US Congress to testify on the global IT outage that occurred because of a bad company software update.
Following the incident, businesses were warned to be cautious as opportunistic cybercriminals and scammers launched phishing and social engineering attacks – purporting to be from Microsoft or CrowdStrike and exploiting the panic to gain access to systems, install malware or steal confidential information.
Meanwhile, insurers have been left to sift through claims as affected businesses seek to recover losses.
Insurance implications
It has been estimated that the disruption will garner between US$400 million and US$1.5 billion in insured losses, according to cyber analytics firm CyberCube. Other estimates set losses in the mid-to-high single-digit billions of dollars.
According to ratings agency Fitch, the insurance lines most affected include cyber insurance, business interruption (BI), and contingent business interruption (coverage for insured losses stemming from BI caused by interrupted or degraded service from a third-party service provider) or dependent business interruption (which also deals with losses resulting from BI, but extends beyond just third-party service providers to offer cover when the business relies on other entities like suppliers or customers for its operations). Other lines such as travel insurance, event cancellation, and technology errors and omissions (E&O) will also be impacted.
Whether businesses will be covered as they hope, will depend on the policies they have.
In some cases, those with cyber insurance will be covered, though some policies may not cover losses resulting from system downtime due to non-malicious cyber events at a third-party service provider. As the event was non-malicious, it is categorised under “system failure” within cyber policies. This type of coverage typically addresses business interruption, but coverage varies. Some policies only cover interruptions caused by network security breaches or cyber events, whereas the CrowdStrike incident was caused by defective software in an update.
In other instances, again policy dependent, there may be cover available through a BI policy. However, BI policies generally provide cover for loss of profits arising from physical damage or loss of access to property that is also insured, making them largely unsuitable to cover against cyber events.
BI policies also often feature a “deferment” period of six to 48 hours from the time of loss, during which the policyholder is not covered. In addition, some policies may exclude coverage for losses due to electronic software.
Businesses that face liability to counterparties because they were unable to meet commitments due to the outage may be able to rely on their professional indemnity (E&O) insurance or other liability policy, subject to their terms.
A wake-up call
The CrowdStrike incident serves as a stark reminder that not all cyber risks are posed by threat actors. Non-malicious incidents can have similarly wide-ranging impacts.
Risk assessment firm Moody’s RMS reported that, while the event was not malicious, its impact mimicked a supply chain attack: “The quickly deployed security patch dramatically spread among interconnected systems, businesses, and so on – more typical of a cyber event, where a nefarious threat actor deploys a malicious patch.”
Ratings agency AM Best noted: “One security bug or software flaw has the potential to bring down businesses… The interconnectedness of systems was on full display…and demonstrated how businesses can be brought to a standstill abruptly and on a large scale.”
While most policyholders look to cover to protect against malicious cyber incidents such as ransomware or data breaches, some will not consider the risks posed by system failures that aren’t caused by threat actors. Without considering the risk, inadequate cover may be purchased.
The CrowdStrike incident is likely to highlight the differences in cyber policies – as some will cover the event, while others will not.
Also, some policyholders, particularly SMEs, may think they have cyber coverage via a package policy, but this may not provide non-malicious triggers for BI coverage or extend to third-party service providers.
Businesses might look to reassess their insurance if they realise they are underinsured or exposed to certain risks. Your EBM Account Manager can assist you with risk assessment and risk mitigation options.
Mitigating risks
There are some actions a business may consider to help reduce the risks posed by similar cyber events occurring in the future. These include:
- Developing a comprehensive cyber incident response plan. The plan should include “out-of-band” communication capabilities (i.e. how team members can communicate securely when primary channels are unavailable or compromised) and focus on third-party supply chain risk management.
- Regularly testing and adapting the incident plan to address emerging risks.
- Ensuring back-up plans are in place, with data back-ups.
- Having the necessary technology and tools in place to detect and respond to cyber incidents.
- Assessing supplier reliance in case of supplier outage.
- Reviewing contracts with cybersecurity and resilience suppliers to understand whether they include provisions for service interruptions and the provider’s responsibilities and remedies.
- Reviewing insurance policies to ensure there is adequate protection for both the business’ own losses and their potential liabilities to others.
Your EBM Account Manager can discuss how different covers may respond to events such as the CrowdStrike outage and help ensure your insurance program will protect your business and your livelihood.