Liability for tech glitches is crucial. When vendor tech fails, who pays? Learn from the recent CrowdStrike outage.
Businesses rely on technology to maintain their operations and so the question of liability for tech glitches that disrupt these operations is more pressing than ever. John Kell, published by Fortune, explores the significant consequences when a vendor’s technology fails and causes widespread operational disruption. When such failures occur, companies are left grappling with severe financial and operational impacts, raising critical questions about who should be held accountable.
When a vendor’s technology glitch disrupts a business, whether it’s a brief hiccup lasting just a few hours or a full-blown outage stretching across several days, the question of who should bear the financial burden becomes a critical issue. This question has taken on new urgency in the aftermath of last month’s major incident involving a faulty software update from the cybersecurity giant CrowdStrike, which caused widespread chaos by crashing millions of Windows-based devices. The fallout from this incident led to significant operational disruptions, lost sales, and millions of dollars spent on remediation efforts, leaving companies scrambling to restore normalcy.
The answer to who is responsible in such situations is far from straightforward. It often hinges on the intricate details buried within the contracts that businesses sign with their software vendors. These contracts can contain clauses that limit the vendor’s liability, shifting the burden back to the client. In addition, many companies purchase insurance policies specifically designed to cover operational disruptions, though these policies vary widely in terms of coverage, especially when the disruption is caused by a third-party technology provider.
What has become abundantly clear in the wake of the CrowdStrike outage is that many businesses, having been burned by this incident, are now scrutinizing their software vendor contracts with much greater rigor. They are keen to better understand who will be held accountable when technology fails and to ensure that they are not left holding the bag in the event of a similar disaster.
Michael Mainiero, the Chief Digital and Information Officer at Catholic Health Long Island, is one such executive taking proactive steps in response to the incident. Following the outage, which significantly impacted a large portion of the New York-based hospital system, Mainiero has instituted a policy of performing quarterly status checks on all vendor contracts. This move is designed to ensure that Catholic Health is fully aware of its legal standing with each vendor. Additionally, he’s making certain that his organization has an up-to-date point of contact for all its vendors, so they know exactly who to reach out to if and when another crisis occurs.
Despite these measures, Mainiero is cautious about pushing vendors to accept greater legal liability in the event of a system breakdown. He worries that doing so could inadvertently create a disincentive for vendors to provide remote software updates, fearing that any mistake could result in overwhelming legal and financial consequences, similar to what CrowdStrike is currently facing. “If you’re making it onerous for a vendor to update something, you could weaken your cybersecurity posture and increase your risk exposure,” Mainiero explains. He emphasizes that his focus is on fostering strong, collaborative relationships with vendors, which he believes are essential to working together seamlessly during a crisis and bringing systems back online as quickly as possible.
On the other hand, some companies are taking a more aggressive stance. Delta Air Lines, for instance, was forced to cancel thousands of flights as a direct result of the CrowdStrike outage. In response, Delta has announced its intention to seek $500 million in damages from CrowdStrike to cover lost revenue and additional costs incurred due to the disruption. CrowdStrike, however, has pushed back, citing its contract with Delta, which reportedly limits the company’s liability to less than $10 million—a fraction of what Delta is demanding.
Sean Scranton, a cyber risk expert at insurance provider WTW, underscores the importance of a comprehensive and collaborative approach to managing liability. He advises that a broad group of stakeholders, including the Chief Information Security Officer, legal department, risk managers, and internal auditors, should work together to craft clear and enforceable liability language in contracts with vendors. Scranton also suggests that, after conducting an initial risk assessment, companies should explore strategies to mitigate potential risks. This could include requiring additional approvals for software updates from vendors like CrowdStrike, though this added layer of human oversight could lead to increased costs for the customer. Additionally, businesses could protect themselves from the financial risks associated with software failures by taking out specialized insurance policies or by accepting the risk and developing detailed response plans for when things go awry.
“Everyone is responsible for managing risks and making sure that if incidents do occur, we keep the severity low,” Scranton emphasizes.
The CrowdStrike debacle has served as a wake-up call, revealing that many business customers may have placed too much trust in their software vendors. Asha Palmer, Senior Vice President of Compliance at software maker Skillsoft, argues that a more skeptical and vigilant approach is needed. She believes that vendors have an obligation to inform their customers about any upcoming changes to their products, including software updates and any issues encountered during the development process. However, Palmer also stresses that customers must take proactive steps to protect themselves from faulty software. “There is a mutual accountability between the vendors that service you and you being the person who is being serviced,” Palmer asserts.
From a legal perspective, the situation is further complicated by the limitations of traditional business disruption insurance. Steven Weisman, a partner at law firm McCarter & English, notes that most standard business interruption policies would not cover an event like the CrowdStrike outage. However, some specialized policies that are designed to cover cyber failures may provide reimbursement for lost revenue and additional expenses resulting from a third-party software provider’s mistakes.
Corrie Hurm, head of claims at insurance broker Embroker, adds that insurance policies covering business interruptions often have specific triggers for payouts, such as whether the event was a system outage or a cyberattack. Each type of event can result in varying levels of coverage, and companies like Delta may be required to implement their own checks and balances to ensure they are protected when things go wrong. Hurm also advises businesses to diversify their software and hardware vendors, a strategy that runs counter to the current trend among many IT leaders to streamline their vendor relationships in the name of efficiency.
“If you’re putting all your eggs in one basket and there’s an outage like this one, you have a major problem,” Hurm warns.
This article is based on and expands upon the original piece by John Kell, published by Fortune.