The debilitating outages from CrowdStrike's botched security update last 19 July grounded flights, glitched 911 call lines, and blocked patients from accessing their medical records. However, a closer look at the cybersecurity company's terms and conditions, CrowdStrike doesn't have to shell out anything more than a simple refund.
The terms for CrowdStrike's Falcon security software — which is used by companies and government agencies around the world — limit liability to "fees paid."
That means that if a company had a claim against CrowdStrike for the damage or lost revenue to its business, the most it could recover is just what it paid to CrowdStrike, according to Elizabeth Burgin Waller, the chair of the Cybersecurity and Data Privacy practice at Woods Rogers.
That means CrowdStrike users who signed the standard terms and conditions can't expect to get more than a refund from the company, Waller said.
"Even if they did cover that lost revenue or downtime, they limit the recovery against CrowdStrike to fees paid," Waller told Business Insider. "So whatever I paid for fees to CrowdStrike, that's what the limitation of liability would be."
Bigger companies using CrowdStrike's software — like some of the airlines or hospital chains affected — may have negotiated different terms and conditions contracts with the cybersecurity company. Those contracts aren't public, and it's possible they contain terms that would hold CrowdStrike liable for more damages, Waller said.
"If you're a huge company, you might have been able to get some negotiation around that," she said.
To cover all the expenses being paid to deal with the CrowdStrike fallout — including hiring IT people to install another update that fixes the issue on Windows machines, lost employee productivity, fixing issues for customers, and possible legal expenses for publicly traded companies that need to file relevant securities reports for investors — most companies will have to turn to cyber insurers, Waller said.
According to Waller, most cyber insurance companies have policies that cover "contingent business interruption" or "dependent business interruption." Those allow companies to recover damages from insurers against third-party cybersecurity companies they depend on. CrowdStrike's Falcon software, which monitors threats on computers, could qualify.
"If I've got a big stop sign in front of me — terms and conditions against CrowdStrike — or if I can only get a refund, then I need to go look to my own cyber insurance policy," Waller said.
Many such policies cover only malicious events like hacking, Waller said.
"We've just got a software glitch. So I think we're going to see lawsuits filed against cyber insurance carriers for years to come, I imagine, on this outage," Waller said. "This is a pretty big, from a cyber insurance standpoint, I think this is also going to spawn a lot of litigation about what's covered and what is intended under these different policies."
Posts
0 comments
Post a Comment