On July 19, 2024, CrowdStrike, which is widely regarded as a leading global provider in the cybersecurity field, released an update for one of its security products. This update had a defect which caused an IT outage1 which has been described as the largest IT outage in history.2 Although the incident was resolved and CrowdStrike has provided support to its customers and committed to publicly releasing a full root cause analysis, the incident has served as a catalyst for a renewed focus on mitigating risks associated with IT outages. This bulletin offers a high-level overview of how to manage legal risks associated with IT outages, as well as contractual considerations in doing so. We plan to expand on these and other topics in follow-up bulletins as part of this series.
IT outages, regardless of their cause, are an important organization-wide risk that must be managed. All organizations should continually conduct regular IT risk assessments and ensure that appropriate business and legal measures are in place in the case of an IT outage. It is also important to critically review all IT contracts to ensure that each party's rights and responsibilities with respect to deployment of updates and patches (including conducting appropriate diligence) are clear and that liability for failures is appropriately allocated between the parties.
Organizations should inventory their IT assets, classify the risk level and criticality of those assets, and monitor risk over their life cycle. IT risks are not limited to cybersecurity incidents caused by external threat actors, and critical outages can result from a wide range of causes, including defects in the performance of, or failure to perform routine maintenance and upgrades. A part of this risk assessment process will require organizations to consider whether IT resources have been centralized, such that one service provider is responsible for a majority of an organization's IT systems, or whether certain systems or vendors pose particular operational risks based on the nature of the system, software, or service. Organizations should consider where there are risks for single points of failure which could compromise multiple systems both within their own IT infrastructure and systemically within their industry, supply chain or other areas. Some regulators have established frameworks for assessing these risks, see for example the Office of the Superintendent of Financial Institutions' Guideline B-10 regarding third-party risk management.
Service providers should have similar considerations in mind regarding IT risk assessment. Additionally, service providers should, in building, testing, and implementing their solutions, ensure that they have adequately considered IT risks, including geography (e.g., where and how data is stored and where solutions are hosted), and the extent to which solutions are dependent on other third parties and subcontractors. Service providers should perform adequate due diligence on subcontractors. Agreements between service providers and their subcontractors should hold subcontractors to the same, if not higher, standards than customers expect of service providers.
Below, we have set out key high-level contractual considerations related to avoiding, mitigating, remedying and seeking compensation for IT outages.
Service Levels
IT contracts should address performance issues by setting out service levels and other performance expectations. Including service levels requires service providers to commit to particular standards for achieving performance goals. Breaching service levels generally will result in some form of financial penalty, but customers and service providers may negotiate which of those service levels are essential to meet (and therefore require an increased financial penalty), and which of those service levels are critical to meet (and therefore constitute a material breach, thus providing grounds for termination of the agreement more broadly).
Incident Notification
Customer organizations should ensure that the contract has clear timelines and materiality thresholds for when service providers must notify customers of certain incidents and/or notify any applicable regulators of the customer (or assist the customer with preparing notification to same). Incidents should be defined to deal not only with privacy and cybersecurity incidents but also with events related to outages.
Disaster Recovery and Business Continuity
Generally, organizations should have their own disaster recovery plan and business continuity plan, which sets out how the organization will continue to deliver services where critical services are disrupted. Organizations should also analyze all critical service providers' disaster recovery and business continuity practices (and have access to test results for the same). Service providers should be required to provide copies of such plans and have an obligation to update these plans regularly (among other obligations). Organizations should also ensure there are redundancies and back-ups to minimize the risk of a single point of failure.
Finally, customer organizations should ensure that there is an exit plan in place (including sufficient termination rights in the contract) in the event the service provider experiences a catastrophic outage (among other triggers, as suggested by the recent IT Risk Management Guidance from the Financial Services Regulatory Authority).
Limitation of Liability
Organizations should ensure that any financial liability caps in their agreements with service providers are adequate in the circumstances. For example, contracts for critical IT systems may have a higher, or separate, cap for various types of incidents. Although discussions with service providers on liability are also a function of bargaining power, particularly in the face of the standard form agreement of large IT service providers, customers should still be aware of these limitations. Additionally, exclusions related to indirect damages should be carefully drafted and organizations must be mindful that extended downtimes may lead to lost revenue and profits.
There are a number of other contractual considerations, industry guidelines, and best practices to consider. Keep an eye out for additional coverage on how to prepare for and deal with the fallout of IT outages in the bulletins to follow in this series.
Footnotes
1. See Falcon Content Update Remediation and Guidance Hub | CrowdStrike.
2. See https://www.washingtonpost.com/business/2024/07/20/outage-microsoft-economy-business/.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.