As has been widely reported, a routine software update deployed by CrowdStrike recently caused an incident considered by many to be the largest IT outage in history. The update reportedly affected 8.5 million Microsoft Windows devices globally, causing operational disruption to businesses across a wide range of industries.
The outage is estimated to have caused billions of pounds of losses, with insurers predicting a loss of $5.4 billion for US Fortune 500 companies alone. The sheer scale of the outage’s impact demonstrates the interconnected nature of global supply chains.
Whilst such incidents are rare, it’s important for businesses within this ecosystem to be prepared should disaster strike. In this article we consider some of the actions that can be taken, both before and after an IT incident, to mitigate the risks to your business.
The CrowdStrike incident serves as a useful reminder that businesses should consider appropriate insurance to cover losses resulting from IT outages. This may include cyber or business interruption insurance that covers both malicious and non-malicious incidents. Existing policies should be carefully reviewed to ensure that the coverage matches your organisation's appetite for risk. Consider the indemnity limits and policy conditions to assess whether your organisation is adequately protected and whether any of its BAU processes might be invalidating its existing cover.
You should also be alive to prospective litigation, be that a desire to bring a claim against a supplier or a requirement to defend claims from your customers. In either scenario, you should keep detailed, chronological records in the immediate aftermath of the event. When considering a prospective claim, you'll want to detail the losses you have suffered and the actions you have taken to mitigate your loss, doing so soon after the event will make it far easier to substantiate your claim after the dust has settled.
You should also ensure you comply with any prescriptive notification requirements and/or dispute resolution procedures within your supplier's contract to protect your claim. You may simultaneously need to consider if the outage has caused you to breach the terms/service level agreement on your customer contracts and what immediate actions you can take to reduce your litigation risk. Where possible, you should keep your customers regularly updated if your services are down or you are unable to supply your goods. Doing so may enable your customers to mitigate their own losses and might reduce their appetite to advance a claim against you.
Also consider if you need to notify any regulators. For example, the Information Commissioner's Office (and affected data subjects) may need to be notified if the event results in the loss, inadvertent disclosure or deletion of personal data as this could constitute a data breach under the UK GDPR. When such an incident arises, data controllers should undertake an immediate data breach risk assessment to determine whether the thresholds for notification have been met, as a reportable data breach must be notified to the ICO within 72 hours. Keep detailed records of your assessment, even if you conclude that a notification is not required.
For further advice, please contact the commercial litigation team.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
