Skip to Main Content

Legal Alert

Home > Resources > Legal Alerts > Crucial Lesson from the CrowdStrike Outage: Assess Your Cybersecurity Supply Chain

RELATED PRACTICE AREAS

Crucial Lesson from the CrowdStrike Outage: Assess Your Cybersecurity Supply Chain

August 9, 2024

Millions of computers around the world running on the Windows operating system were recently disabled—not by hackers, but by a faulty software update released by CrowdStrike. The cybersecurity vendor's error, which hobbled airlines and disrupted hospitals and other businesses, was compounded by bad actors that came out with a “quick fix” that planted malware in affected systems.

The shockwaves from the CrowdStrike incident continue to spread, and naturally companies are feeling increasingly vulnerable.

Fortunately, there is a way for companies to minimize possible future damage in the event of a similar cyber attack. A good place to start is to focus on your cybersecurity supply chain management policies and procedures.

Review Your Cybersecurity Contracts

Each vendor that provides cybersecurity products or services to your company, as Crowdstrike did for many, should have an agreement that governs the relationship. The agreement should be structured and customized based on what that vendor provides and not reflect a one-size-fits-all approach. Some vendors provide mission-critical products or services, others do not. For those that do, a more cautious and thorough approach to the contract review and negotiations is advisable.

An agreement based on the vendor’s standard form is likely to contain language that is favorable to the vendor, including very limited (if any) indemnification provisions and a low liability cap. Companies should make sure that the agreements require the vendor be liable for and indemnify the company for damages arising from these cyber attacks (with no liability cap or a super cap for these damages) and have adequate cyber insurance. The vendor knows best what could go wrong in the deal, so it is reasonable to demand it has appropriate mitigation measures in place and explicitly identifies those measures in the agreement. Excusing the vendor’s performance (i.e., carve-out from liability or indemnification provision) should be limited only to incidents that are outside of its reasonable control.

An incident outside of a vendor’s reasonable control is what the force majeure clause is for. It is typically found towards the end of the main part of the agreement and is often overlooked. Again, if you are working off the vendor’s form, watch out for language that lets the vendor use it to get off the hook. The key is to carefully word the clause in such a way that the vendor’s ability to use it as a means to excuse its obligations is very limited. Consider, for example, a cybersecurity error by someone in the vendor’s own supply chain. The vendor might want to use that as an excuse for offloading any liability, but that should not be allowed to count as a force majeure incident. Preventing something like this from derailing the vendor’s services is usually within the vendor’s control, and the language in the clause should reflect that. Another thing a force majeure provision can give you is the right to terminate the agreement if the vendor cannot perform its obligations due to a cyber attack and its failure remains ongoing for a period of time you specify.

Your IT and security teams should also review the security standards in the agreement to ensure that the vendor has appropriate physical, administrative, and technical controls. If the contract involves a mission-critical product or service or touches key data, systems, or infrastructure, the company should consider having its own mandatory security terms to which the vendor must agree.

Negotiating these agreements requires consideration of many variables: the vendor’s size, its financial and operational capacity, the size of its end user base, its track record, your risk tolerance, the value of the contract, alternative service providers, etc. That information should help determine, for example, which checklists to use, what language to avoid, and what to require. This will help ensure the agreement you sign fits your needs.

We Can Help

Maslon attorneys can guide businesses needing legal assistance with their cybersecurity supply chain management and other complex issues. Reach out to us to ensure you are prepared to minimize possible damage in the future.

Related Attorneys

Kaitlin (Katie) Eisler + Learn More Kaitlin (Katie) Eisler
Eran Kahana + Learn More Eran Kahana

Maslon LLP uses cookies on this website to enhance your digital experience.
Please see our Privacy Policy. By visiting our website without disabling or blocking cookies, you agree to our use of cookies.

DISCLAIMER

Thank you for your interest in contacting us by email.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send us an email containing a general inquiry subject to these terms.

If you accept the terms of this notice and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."

Accept Decline

MEDIA INQUIRIES

We welcome the opportunity to assist you with your media inquiry. To ensure we do so properly and promptly, please feel free to contact our representative below directly by phone or via the email option provided. We look forward to hearing from you.

Emily Gurnon, Marketing Communications Manager | Office: 612.672.8251 | Mobile: 651.785.3616

EMAIL DISCLAIMER

This email is intended for use by members of the media only.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send an email containing a general inquiry subject to these terms.

If you are a member of the media, accept the terms of this notice, and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."

Accept Decline