CrowdStrike outage - resolving disputes

CrowdStrike outage - resolving disputes


1. Introduction

This article looks at the CrowdStrike claims landscape and specifically how mediation, and in particular early stage mediation, can make a significant difference in resolving claims.

The CrowdStrike outage occurred on 19th July 2024 and was the largest global incident of its kind. Lasting up to several days for some organisations, it affected c.8.5m devices worldwide and it is estimated it will cost US Fortune 500 companies alone c.$5.4 billion.

The CrowdStrike product involved (Falcon) is intended to protect systems running on Microsoft software from cyber attack. However, the outage was not caused by a cyber incident, but by an error in a software update issued by CrowdStrike to its users. The error caused devices to crash (the blue screen of death), to the extent that they were rendered unusable. It took some time for IT departments and administrators to install a fix and get their systems back up and running, some longer than others. Users were affected across all sectors, including healthcare, air travel, banking and retail.

An incident of this kind can have serious consequences for businesses. Loss of revenue is an obvious issue. However for those regulated organisations which provide what is regarded as critical infrastructure (e.g. power/utility, banking, healthcare), incidents like this can bring them into the regulatory spotlight, calling into question their operational resilience, and whether they have in place the systems and processes to avoid or minimise the impact of such events.

As a result it is likely that organisations which have been effected will be looking for compensation from their providers of IT services, and/or payment from their insurers, and consequently there will be a lot of litigation. Already Delta Airlines have said they will be pursuing CrowdStrike for $500m of losses they claim to have suffered, and CrowdStrike shareholders have indicated they will be making a claim against the company.

2. The claims landscape

Although the outage was caused by CrowdStrike, they will not necessarily be the respondent to claims. Users of the Falcon product may have contracted direct with CrowdStrike, or they may be using the product through an arrangement with a third party technology service provider (e.g. software supplier, outsourcer, cloud provider). Who an organisation contracted with will determine who can be claimed against.

Claims may not be confined to technology service providers. Users of CrowdStrike software may, as a result of the effects of the outage on their systems, have defaulted in their obligations to their customers, which in turn may give rise to claims from them.

At whatever level of trade the claims occur, the key issues will be (1) has there been a breach of contract; (2) does any Force Majeure clause relieve a party from the relevant obligation; (3) what are the losses which flow from that breach; and (4) are those losses excluded or capped. A couple of key commercial points arise from that:-

• Software and associated updates are usually not warranted to be error free. Further in strategic outsourcing arrangements a failure of service is often not to be treated as a breach, unless it causes the level of service to fall below a minimum acceptable standard. Therefore proving breach may not be straight forward.

• Many technology licenses and service contracts are based on standard terms, or (in the case of strategic sourcing arrangements) are closely negotiated, the result of which can be that liability, and therefore ability to recover losses in full, is heavily restricted.

• These issues which may apply at the service provider level (i.e. between technology service provider and user) may not be replicated at the user level (i.e. between the user and its customers), and so a user of CrowdStrike services may find that it is incurring liabilities to its customers which cannot be recovered (at least not in full), from its service providers.

In addition mitigation of loss will be a key issue. For example Delta Airlines is claiming losses of $500m; it took Delta 5 days to get their systems back up and they cancelled 7,000 flights. However American Airlines largely recovered their operations the day the outage occurred and cancelled only 51 flights.

Finally many individuals and smaller businesses suffered losses which, whilst important to them, may on their own be uneconomic to claim. It is possible therefore that class action groups will be formed to seek recovery of these losses on a collective basis.

Accordingly if the CrowdStrike outage does give rise to a lot of claims and disputes, many of them are unlikely to be straightforward.

3. The insurance position

Much of the talk regarding the role of insurance in responding to the CrowdStrike outage has centred on Cyber Security policies, which can provide cover for business interruption claims for both insured (i.e. user) and third party (e.g. customer) losses. Falcon is a cyber security product, although the outage was not caused by a malicious cyber security attack. On that basis organisations may have to look to other cover they may have. Policies will have to be examined closely to see whether the event (errors in a software update) is within the ambit of the policy (whether cyber security or other).

4. Resolving CrowdStrike disputes

Early mediation

Disputes of the sort which are likely to emerge from the CrowdStrike outage have a number of features which suggest they would benefit from not just being mediated, but being mediated at an early stage. From the point of view of claimants, cyber security and business interruption events cause what might be described as financial shocks to businesses, i.e. significant losses which are unplanned and which can impose immediate pressure on profits and cash flow. Delta Airlines are saying the CrowdStrike outage cost them $500m, which is c.40% of their reported 2023 profit. That loss will have to be financed in some way until the case is resolved, which will have a cost. So particularly for businesses which are run on tight margins (for example Delta are working on a net operating margin of under 7%), waiting for a case to run to trial over a period of years is not an attractive option.

One might think therefore that time is on the side of the technology service providers and the insurers, i.e. the defendants. The longer the case takes, the more likely it is that financial pressures may force the claimants to lower their settlement expectations. That might be true, but these defendants have brands which they need to protect and relationships with customers which, in highly competitive marketplaces, can be difficult to win and easy to lose. Delaying the settlement of claims only for tactical purposes is not a good look.

CrowdStrike understand this. From the moment the outage occurred they embarked on an impressive charm offensive with their customers, aimed at helping them get back to BAU as quickly as possible, and working with them to reduce the risk of a similar incidents in the future. Their approach might well in time provide an interesting case study into successful corporate crisis management.

Another dynamic which may make early mediation and settlement attractive to defendants is avoiding binding judgements. There may be points of legal principle at stake, and it is often better to negotiate when those issues are unresolved rather then when they are, if there is a material risk that a key issue will not be resolved in your favour. Also for defendants who may be facing multiple claims, the overall cost of claims to them can be reduced by adopting a strategy of early mediation.

So it is probably in the interests of both parties to think about trying to resolve these disputes sooner rather than later.

The dynamics of early mediation

The dynamics of a dispute and of litigation, change over time. That means the factors which apply at the beginning of a case are not the same, or are not as consequential, as those which apply later. So going into an early stage mediation with the usual toolset is less likely to lead to resolution; different thinking and a different approach is needed.

Why is that? There are three principal reasons; (1) legal uncertainty; (2) the effect of cognitive biases; and (3) the impact of litigation fatigue.

- Legal uncertainty. At an early stage of a dispute the legal issues and the evidential picture will not be as clear as they will be later on, when pleadings have been completed and interrogated, full disclosure has taken place, and case management hearings have taken place. This can be a barrier to settlement, because parties often believe they will have more leverage in negotiations when their case has been fully articulated, and also when they have had the chance to attack the case of the other side. For these reasons there is often a hesitancy to settle at an early stage, each party believing that when their case is played out, they will be in a stronger position.

- The effect of cognitive biases. Cognitive biases are the unconscious or illogical biases most of us have which can create significant barriers to resolving disputes in mediation; for example “Confirmation Bias”, i.e. the tendency to look for, interpret, favour and recall information which supports the narrative a party is trying to develop in a case, whilst discounting information which does not fit that story; and “Attribution Bias”, i.e. the tendency when things go wrong to blame other people and in doing so to attribute the cause of the problem to defects in their character, personality or professionalism, rather other factors such as our own contribution to the problem or situational factors. These biases tend to be more entrenched and more active at an early stage in a dispute, and therefore constitute, at that early stage, a higher barrier to resolution than later in any litigation.

- Litigation fatigue. I would like to claim the cases I mediate which settle only do so because of my amazing mediation skills, but often simple fatigue can be a major factor later on in proceedings; parties can become bored of the case; or their priorities may have changed and they now have better things to do with their time and money; or the novelty of signing big cheques to fund litigation can wear off; or they decide life is too short. The enthusiasm to litigate and not settle is usually at a much higher level earlier in the case than it is later on, when fatigue may have set in.

Being aware of these differences is critical, not just for neutrals, but for advisers in developing their negotiating strategies in mediation.

Addressing these special features of early mediation

In my experience there are three things worth thinking about when looking at how to address those early stage differences; fostering a settlement mindset; focussing on risk; and working with ambiguity.

- Fostering a settlement mindset. In mediation settling a case is not compulsory, no settlement can be imposed, and any of the parties can walk away at any time. But if the fundamental purpose of an early mediation in cases like CrowdStrike is to address quickly, one way or another, the financial shock suffered by the claimant, and to preserve important relationships, adopting a mindset of “active settlement” (how do we settle the case) as opposed to “passive settlement” (let’s see if something turns up), is a key factor.

o Don't wait for the mediation meeting to start mediating. Use the time between the signing of the Mediation Agreement and the mediation meeting to engender a positive settlement mindset. That involves engagement between the mediator and each party and early discussion on identifying the key issues, possible outcomes and likely commercial scenarios. This all helps to get the parties into a positive settlement mindset before the mediation meeting takes place.

o Think differently about Mediation Submissions and Opening Statements. Consider dispensing with Mediation Submissions. These tend to be a re-statement in short form of the legal positions of each party, and they can be helpful summaries. But if the parties already have a reasonable idea, albeit at a high level, of the legal cases of each side, the mere preparation and exchange of submissions can serve to entrench positions and feed the biases referred to above. With that in mind consider dispensing with Mediation Submissions and focussing Opening Statements more on the commercial issues, and less on legal arguments.

o Commit upfront in the Mediation Agreement to a non-binding neutral evaluation in the event the case doesn’t settle. In most cases if a case does not settle through mediation, the parties can, but are not obliged to, invite the mediator to prepare an evaluation of the issues and where a settlement might lie. But baking this into the process from the start means the parties know that if they do not settle, they are going to receive an opinion on the case which, whilst not binding or disclosable, is likely to narrow their room for manoeuvre in future negotiations. That can create a positive impetus to settle sooner rather than later.

- Focus on risk. Clearly the legal issues are important in any mediation arising from litigation. However focussing too much on legal arguments can be counter-productive in early stage mediation, because:-

o At an early stage the parties may be wary of conceding any legal ground;

o Legal discussions can serve to entrench positions and cognitive biases; and

o Many cases are zero sum disputes, therefore on a pure legal view of the world, there is not much room for compromise between the win or the outcomes.

Once the legal issues are reasonably well understood a picture of the risks faced by both parties can be formed, based on the likelihood of possible outcomes and the risk weighted values of those outcomes. In my experience these risk based exercises usually result in more commercial and pragmatic views being developed, in more commercial and pragmatic discussions and negotiations between the parties, and in a narrowing of the range of possible settlements, which in turn is more likely to lead to resolution.

Working with ambiguity. It is rare for business decisions to be made with the benefit of perfect information and data. Assumptions, trade-offs and judgements have to be made, whilst accepting there will be gaps in knowledge and therefore risks which have to be managed when making any material decision. That is particularly the case with early stage mediation, when the full legal and evidential picture might not be fully developed. The key question is whether the parties have enough information to be able to negotiate a commercial settlement at this stage, trading off the value of a settlement now, with the benefit, if any, of waiting and seeing if further information or data improves their position. The test is whether, post settlement, each party can go to their stakeholders, board or shareholders with a clear rationale, a clear story as to why they agreed to the terms of the settlement. In my experience that can be done without a perfect information set, like any business decision.

Early mediation does have some different dynamics and fostering a settlement mindset, focussing on risk and working with ambiguity can be key factors in helping to address those differences and in helping businesses like those affected by the CrowdStrike outage to reach a settlement sooner rather than later.

5. Acknowledgment

The contents of this article are based on material I prepared for a webinar on the CrowdStrike outage hosted by Arbitra International on 18th September 2024 from the International Dispute Resolution Centre in London. My fellow panellists were Wolf von Kumberg (Arbitrator and Mediator, Arbitra International), Elliot Rose (Partner and Cyber Security Lead, PA Consulting Group), Joanne Elieli (Partner, Cyber Data and Technology Disputes, Stephenson Harwood) and Frank Lattal (Aribitrator and Mediator, Arbitra International). The webinar is available to watch on YouTube; to do so please go to - https://www.youtube.com/watch?v=p3zbLE3ayZY

Mike Henley
COMMediate
25th September 2024