Recent global outages affecting the ubiquitous Microsoft operating system have raised serious questions for New Zealand businesses about their exposure to risk. Wide-scale computer failures present multiple risks and challenges, including loss of business and revenue, and potential liabilities to customers and other counterparties. 

What happened?

The most damaging recent event occurred on 19 July 2024, when a software update released by CrowdStrike caused a global computer outage for its customers. CrowdStrike is a cybersecurity company based in Austin, Texas, that provides endpoint security, threat intelligence and cyberattack response services to a wide range of customers globally. 

This particular software update contained a defect which caused computers worldwide to crash and display a “blue screen of death”. This resulted in approximately 8.5 million “bricked” computers, i.e. those that are as useful as a brick – where they are completely unresponsive and not easily repaired. While it affected only around 1% of Microsoft’s customers, many of them were providers of critical services such as airlines and banks. Because of this, the consequences were widespread - airlines were grounded, banking systems such as ‘tap and pay’ went offline, resulting in closures of supermarkets and other retailers, and medical systems were unable to process patients.

The cause of all this was a small error - a line of code in a software update rolled out by CrowdStrike was incompatible with the Microsoft operating system. Whilst the error could be rectified by deleting a single file in the software, the defect prevented computers from starting up. A workaround was necessary which involved starting the computer in a “safe” mode and then removing the faulty file. In many companies, given security permissions, this required the involvement of IT teams. 

This was not a cyberattack, but a software flaw caused by human error, which resulted in widespread problems because of inadequate testing before it was published widely.

Shortly after the CrowdStrike outage, on 1 August 2024, many New Zealand Microsoft users once again found themselves unable to operate their systems because of an unrelated event that also affected Microsoft systems across the country. A “distributed denial of service” cyber-attack upon Microsoft caused problems to begin with, and many New Zealand businesses were then unable to access Microsoft Outlook and Teams, with reports of 3,200 outages. Microsoft has not confirmed the cause of the issue, although it may have been connected to the cyber-attack.

These events display the vulnerability of businesses to failures in critical systems, and the fragility of a globally networked system which can cause interlinked failures that bring down whole economic systems.

Impact for businesses

In New Zealand, the CrowdStrike event unfolded throughout the evening of Friday, 19 July and the following weekend. The National Emergency Management Agency was readied to manage the response and ensure that Fire and Emergency, police, ambulance, the Civil Aviation Authority and utility providers were able to operate. Many businesses found that they had to switch back to manual systems, such as the Hato Hone St John ambulance service, which reverted to VHF radio and paper notes.

European and American markets were impacted significantly. In the United States, thousands of flights were cancelled, leaving travellers stranded. This had flow-on effects for many other businesses. In the United Kingdom, many doctors’ surgeries and the National Health Service were unable to make appointments or access test results.

Many impacted businesses, including those who did not use CrowdStrike themselves but relied upon suppliers and others that did, suffered losses of revenue and in some instances will have incurred liabilities to their counterparties when they were unable to deliver on obligations. Those with force majeure clauses in their contracts will likely fare better than those that did not. 

Who pays?

In the immediate aftermath of the CrowdStrike event, the market value of Microsoft was not materially changed, while the share price of CrowdStrike fell substantially. This reflected a not unreasonable view by the market that CrowdStrike was likely to face significant liabilities for the losses suffered, as well as a likely loss of business and revenue.

It appears likely that CrowdStrike will face legal action in various forms. A class action has reportedly been initiated on behalf of CrowdStrike’s own shareholders, asserting that the company made false and misleading statements about its software testing. It has also been reported that Delta Airlines is considering litigation to recover its costs and losses.

However, there may be barriers to a satisfactory outcome for claimants outside the company who have suffered loss. One such barrier may be contractual terms and conditions that purport to limit CrowdStrike’s liability.

CrowdStrike’s standard terms and conditions provide that its liability is limited, at its option, to using efforts to re-perform incorrect services or refund fees paid for incorrect services. Its terms also provide that it will not be liable for any lost profits, lost business opportunities, lost data and other similar losses, even where they are reasonably foreseeable. It is to be expected that the effect of these terms will be tested. The standard terms and conditions contain an arbitration clause for disputes arising out of the contract, which may prevent actions being brought in claimants’ domestic jurisdictions. If they can be, then where civil cases are decided by juries the outcome may be uncertain, but in jurisdictions where cases are decided by judges and contractual terms between businesses are given their intended effect, they may provide CrowdStrike with protection. 

Even if a claimant in New Zealand was able to bring a claim in the courts here, limitation of liability clauses and exclusion clauses in contracts between non-consumers are normally given their intended effect, although there are statutory exceptions to consider. It appears that CrowdStrike was primarily a service provider to businesses. However, if it had contracted with a consumer, a strict limitation of liability clause may be seen as an attempt to avoid the service warranties implied under the Consumer Guarantees Act 1993, in which case they may not be effective. CrowdStrike is also bound by the Fair Trading Act 1986 where it offers services in New Zealand to both businesses and consumers, and there may be issues as to whether its limitation and exclusion terms may be affected by the unfair contract terms regime under that legislation. That regime applies both to consumer contracts and specified trade contracts and limits parties’ abilities to avoid liability for non-performance unfairly. However, this would likely require the Commerce Commission to apply to the Court for a declaration that CrowdStrike’s contractual terms are unfair.

If CrowdStrike’s contractual terms limiting or excluding its liability overall were not given their full effect, other terms may limit the types of losses for which it may be liable, such as exclusions of indirect and consequential loss. Businesses may claim third party expert costs incurred, such as costs of IT personnel to repair affected devices or re-route a network, as a direct loss, and whilst each particular loss is of relatively low value, these may cumulatively add up to a large amount. Consequential losses, which may include lost business opportunities or profits, will likely be more difficult to recover, although this would depend on the contract terms and the particular circumstances. 

Claims will likely be even more difficult for non-customers of CrowdStrike who do not have a direct contractual relationship. They could potentially bring an action in negligence, but any such claims would likely face challenges because of issues relating to the remoteness of the damage and the risk of exposing IT providers such as CrowdStrike to an indeterminate number of possible claimants. 

Insurance position

Affected businesses may look to their insurance policies to cover some of their losses. Whether they will be able to do so will depend upon the insurance policies they have. Cyber policies are likely to be the most relevant. However, not all cyber insurance is the same. Some cyber security policies may not cover losses resulting from system downtime due to non-malicious cyber events at a third-party network service provider. A careful analysis of each policy will be required to assess coverage in each case.

It is possible that some business interruption policies may provide limited cover, although they normally provide cover for loss of profits arising from physical damage or loss of access to property that is also insured, so they are not typically well suited to cyber events. Business interruption policies also typically feature a ‘deferment’ period of 24 to 48 hours from the time of loss, during which the insured is not covered, and they may exclude coverage for any cause arising out of electronic software. 

Businesses that face liability to counterparties because they were unable to meet commitments because of the outage may be able to rely upon their professional indemnity insurance or other liability insurance policies, depending on their terms.

CrowdStrike itself, and potentially its directors and officers if claims are made against them, will be looking to its own liability insurers for cover in respect of the claims made by shareholders.

Protection in the aftermath

Whilst most business are now back online and clearing backlogs, businesses hit by the outages could be vulnerable to scammers. They should be alert for approaches from anyone pretending to be from CrowdStrike or Microsoft. 

Mitigating future risks

CrowdStrike’s update caused considerable damage and disruption because it was rolled out globally. Whilst regular updates of security software are important, a phased roll-out can help avoid a mass outage in the event of a defect. Technology vendors will be focussed on deployment risks from updates and will be considering strategies to avoid or mitigate them. 

It is recommended that businesses wishing to understand and manage their risks consider the following steps:

• have backup plans in place, with data backups, in case a widespread outage occurs again;
• consider their reliance upon suppliers and ways in which they might manage a supplier outage;
• review their contracts with cybersecurity and resilience providers to understand whether they include provisions for service disruptions, outline the provider’s responsibilities and provide meaningful remedies; and
• review their insurance policies and consult their brokers to ensure they have adequate protection, both for their own losses and their potential liabilities to others.

Please get in touch with one of our experts if you would like to discuss any issues arising from these events and how you can protect your firm from the legal consequences of similar events in the future. 
 

This article was co-authored by Partner Andrew Horne, and Senior Solicitor Oliver Sutton, both members in our Litigation team, with assistance from Senior Associate Libby Conole, in our Corporate and Commercial team.