Who’s liable for tech glitches that upend a company’s operations?
When a vendor's tech glitch takes down a business, whether for just a few hours or several days, who should pay?
It's a question many are asking after a faulty software update from cybersecurity company CrowdStrike last month crashed millions of Windows-based devices, leading to corporate chaos, lost sales, and millions of dollars spent trying to fix the problem.
The answer, it turns out, is complicated, hinging on the fine print in the contracts that businesses sign with their software vendors. Companies also frequently buy insurance to cover any disruptions, although the policies vary in paying out when third-party tech providers are responsible for the disaster.
What is clear is that many employers, burned by the CrowdStrike outage, are suddenly paying a lot closer attention to their software vendor contracts to better understand who's liable when tech fails.
Michael Mainiero, the chief digital and information officer at Catholic Health Long Island, says he's now performing quarterly status checks on vendor contracts after a big part of the New York-based hospital system was taken down by the CrowdStrike outage. He's also ensuring Catholic Health has an updated point of contact for all of the company's vendors to know who to call if and when things go south.
But Mainiero has no plans to require vendors to agree to larger legal liability in the event of a system breakdown. He fears it would create a disincentive for vendors to remotely update their software for fear that it, like CrowdStrike's, could end in a tech disaster.
“If you're making it onerous for a vendor to update something, you could weaken your cybersecurity posture and increase your risk exposure,” Mainiero says, adding, “My focus is to build strong collaborative relationships with the vendors, and during the crisis, have the ability to work together seamlessly and bring the system online quickly.”
Delta Air Lines, which had to cancel thousands of fights following CrowdStrike's outage, has taken a far more aggressive stand. It has said that it would seek $500 million from CrowdStrike for lost revenue and extra costs. In response, CrowdStrike said its contract with Delta limits its liability to less than $10 million.
Sean Scranton, a cyber risk expert at insurance provider WTW, says a broad group of stakeholders, including the chief information security officer, legal department, risk managers, and internal auditors, should work together to agree on liability language in contracts.
After an initial risk assessment, companies should consider ways to reduce the potential trouble spots they identify, including requiring extra approvals for software updates from vendors like CrowdStrike. That human oversight would be an extra expense for the customer. Companies using third-party software could also reduce their financial risk of a meltdown by taking out insurance or by accepting the risk and planning a detailed response for when things go wrong.
“Everyone is responsible for managing risks and making sure that if incidents do occur, we keep the severity low,” says Scranton.
The CrowdStrike fiasco shows that business customers may have been too trusting of software vendors and that healthier skepticism may be needed, says Asha Palmer, senior vice president of compliance at software maker Skillsoft. Vendors should tell customers about any upcoming tweaks to their products, including software updates and any hiccups they encountered in the development process, she says, but customers must also create systems that protect themselves against faulty software.
“There is a mutual accountability between the vendors that service you and you being the person who is being serviced,” says Palmer.
Steven Weisman, a partner at law firm McCarter & English, says traditional business disruption insurance wouldn’t cover a CrowdStrike-type event. But some policies that specifically cover cyber failures may reimburse customers for some of the lost revenue and extra expenses caused by a third-party software provider's mistakes.
Corrie Hurm, head of claims at insurance broker Embroker, says most insurance that covers business interruptions requires certain triggers for payouts: Was it a system outage? Or a cyber attack? Each event can come with varying degrees of insurance coverage.
But often, those insurance policies require companies like Delta to implement their own checks and balances for when things go awry. Businesses should also use a diversity of software and hardware vendors, Hurm says, advice that's contrary to the push by many IT leaders to reduce the number of vendors they work with.
“If you’re putting all your eggs in one basket and there’s an outage like this one, you have a major problem,” says Hurm.
John Kell
Send thoughts or suggestions to CIO Intelligence here.
This story was originally featured on Fortune.com