The devastating outages from CrowdStrike’s botched security update Friday grounded flights, glitched 911 call lines, and blocked patients from accessing their medical records.
But, according to the cybersecurity company’s terms and conditions, CrowdStrike doesn’t have to shell out anything more than a simple refund.
That means that if a company had a claim against CrowdStrike for the damage or lost revenue to its business, the most it could recover is just what it paid to CrowdStrike, according to Elizabeth Burgin Waller, the chair of the Cybersecurity & Data Privacy practice at Woods Rogers.
That means CrowdStrike users who signed the standard terms and conditions can’t expect to get more than a refund from the company, Waller said.
“Even if they did cover that lost revenue or downtime, they limit the recovery against CrowdStrike to fees paid,” Waller told Business Insider. “So whatever I paid for fees to CrowdStrike, that’s what the limitation of liability would be.”
Bigger companies using CrowdStrike’s software — like some of the airlines or hospital chains affected — may have negotiated different terms and conditions contracts with the cybersecurity company. Those contracts aren’t public, and it’s possible they contain terms that would hold CrowdStrike liable for more damages, Waller said.
“If you’re a huge company, you might have been able to get some negotiation around that,” she said.
A representative for CrowdStrike didn’t immediately respond to Business Insider’s request for comment about how it will enforce its terms and conditions.
To cover all the expenses being paid to deal with the CrowdStrike fallout — including hiring IT people to install another update that fixes the issue on Windows machines, lost employee productivity, fixing issues for customers, and possible legal expenses for publicly traded companies that need to file relevant securities reports for investors — most companies will have to turn to cyber insurers, Waller said.
According to Waller, most cyber insurance companies have policies that cover “contingent business interruption” or “dependent business interruption.” Those allow companies to recover damages from insurers against third-party cybersecurity companies they depend on. CrowdStrike’s Falcon software, which monitors threats on computers, could qualify.
“If I’ve got a big stop sign in front of me — terms and conditions against CrowdStrike — or if I can only get a refund, then I need to go look to my own cyber insurance policy,” Waller said.
Many such policies cover only malicious events like hacking, Waller said.
“We’ve just got a software glitch. So I think we’re going to see lawsuits filed against cyber insurance carriers for years to come, I imagine, on this outage,” Waller said. “This is a pretty big, from a cyber insurance standpoint, I think this is also going to spawn a lot of litigation about what’s covered and what is intended under these different policies.”
CrowdStrike can expect SEC scrutiny
As for CrowdStrike, it can expect lawsuits from shareholders, customers who want to try to obtain more damages, and likely an investigation from the Securities and Exchange Commission, Waller said.
The company, which is publicly traded, will have to file an 8-K report in the next few days with the SEC that lays out what went wrong with the Falcon update.
By a strange coincidence, the CrowdStrike disaster came a day after a major ruling by a federal judge in Manhattan in favor of SolarWinds — a technology security company that was breached in a 2020 Russian cyberespionage campaign — in a lawsuit brought by the SEC.
The SEC alleged SolarWinds didn’t sufficiently update investors and the public about the massive scope of the fallout from the Russian hack. But US District Judge Paul Engelmayer ruled Thursday that the company didn’t need to provide the “maximum specificity” the SEC demanded.
That ruling gives some breathing room to CrowdStrike, a $73 billion company, which has a responsibility to update investors and the public about what happened — but now needs to worry less about just how much detail it provides.
“You need to convey the severity of what is happening, but we don’t need to be really concerned about the nitty gritty details or what we don’t know,” Waller said.
Clinton Mora is a reporter for Trending Insurance News. He has previously worked for the Forbes. As a contributor to Trending Insurance News, Clinton covers emerging a wide range of property and casualty insurance related stories.