In this episode, Technology Partner Tom Maasland talks with Litigation Partner Andrew Horne, about the overlooked risks of ‘innocent’ cyber failures and key lessons businesses can take from CrowdStrike’s recent non-malicious cyber incident.
[00:20] Tom and Andrew discuss the CrowdStrike software update failure. They explain how a single line of incompatible code in an update designed to enhance system security led to global IT outages and although it impacted only a small fraction of Microsoft users, the incident caused significant disruption with far-reaching consequences worldwide.
[03:41] Andrew considers the potential losses and liabilities a business might face from a non-malicious cyber failure, using the CrowdStrike incident as a case study.
[05:14] Tom and Andrew discuss potential challenges for insurance coverage in this situation, noting how many policies focus on criminal acts, leaving gaps in coverage for businesses in the event of a non-malicious cyber failure.
[08:57] Andrew then talks through regulations, being introduced in New Zealand by the Reserve Bank of New Zealand and Financial Markets Authority that will impose disclosure and reporting requirements for operators when faced with a cybersecurity incident, whether malicious or not.
[12:14] Andrew suggests strategies tech dependent businesses can adopt to mitigate risk and liability from similar incidents, including preparing detailed backup plans, implementing robust testing and phased updates, and conducting insurance reviews and contractual due diligence to understand risk exposure.
Information in this episode is accurate as at the date of recording, 22 November 2024.
Please contact Tom Maasland, Andrew Horne or our Technology team if you need legal advice and guidance on any of the topics discussed in the episode.
Please get in touch to receive an episode transcript. Please don’t forget to rate, review or follow MinterEllisonRuddWatts wherever you get your podcasts. You can also sign up to receive technology updates via your inbox here.
Additional resources
Beyond cyber crime: The increasing risk of ‘innocent’ cyber failures
