The recent CrowdStrike outage on 19 July 2024 caused havoc across the world, leading to significant disruption across a host of industries. As the cyber dust settles, potential litigation and liabilities are already being discussed as businesses and individuals seek to recover their losses.
The faulty update to CrowdStrike, a corporate cybersecurity system, affected approximately 8.5 million devices that ran on Microsoft Windows, preventing them from loading. It is widely reported as being the worst cyber-incident in history, with thousands of businesses severely affected.
Businesses affected by the incident may turn to their insurers to seek coverage under their cyber, business interruption or liability policies. Policy holders will need to review their cover carefully to see whether it extends to non-malicious incidents such as this and what exclusions may apply. However, insurers may be in line to take a substantial hit.
In terms of litigation, we might see claims against CrowdStrike itself where parties have a direct contractual relationship with it. For those that don’t – which is likely to be the vast majority of Windows users and certainly those indirectly affected – they will need to look for other avenues. For businesses, the most likely route may be against their IT suppliers. For individuals it may be against affected service providers such as travel companies or perhaps as part of a class action. Contractual exclusion and limitation of liability provisions – very common in sophisticated IT agreements – will be especially relevant here. Potential claimants and defendants will be frantically checking their terms to see what is in and out of scope!