Lessons learned from global CrowdStrike outage – contractual considerations
Tuesday 24th September 2024
Earlier this year, CrowdStrike, a US based and market-leading cyber-security vendor caused a global outage affecting Windows-based infrastructure. Whilst this wasn’t a cyber-attack, it was a notable cyber-incident caused by an update to CrowdStrike’s Falcon platform, resulting in widespread disruption to thousands of businesses.
Although there are many factors affecting a business’ ability to negotiate with its IT vendors, including pricing, bargaining power, and potential imbalance between vendor and customer, this incident teaches us a lot about ways businesses can mitigate risk – operationally, internally and contractually.
Here we focus on some key contractual considerations when negotiating with IT vendors:
- Maintenance and Updates – Consider what the contract says about scheduled and emergency maintenance, patching and updates to the relevant solution. Consider the vendor’s notification requirements on these items so the business is fully informed of when these events will take place. Consider adding an obligation on the vendor to undertake these actions outside of the business’ core working hours, and on a set period of notice where possible, to minimise disruption. Seek protection that both maintenance and updates will not negatively impact security, functionality, availability or compatibility.
- Performance Commitments – What assurances does the contract give as to standards of performance from the vendor when it comes to: the security of the solution; personnel used to perform the contract; security standards; and the frequency of patching/updates? Further, if a vendor is not amenable to adding significant warranties to the contract, can they point to any cyber-security accreditations which speak to the resilience of their IT infrastructure? If a vendor is processing personal data on behalf of the customer, consider the requirements of GDPR and whether all elements are appropriately included.
- Vendor Liability – Most one-to-many vendors will heavily limit their liability to customers under their standard contracts as far as they can under applicable laws. It is worth reviewing the financial caps and exclusions to understand the prospect of the business being able to recover its losses in the event of a breach. It is often also worth seeking to see copies of a vendor’s insurances to give some indication of whether it is able to support its liabilities under the contract (noting that insurance levels does not necessarily = recoverability). If the caps as drafted are not sufficient, seek to negotiate a more balanced position including the use of ‘super-caps’ to cover off specific risk areas.
- Force Majeure/Events outside of the vendor’s reasonable control – Review the force majeure provisions in the agreement to understand when the vendor is entitled to relief from its obligations to perform the contract, or certain elements of it. These are typically drafted widely and include certain elements which the business thinks in reality the vendor should take responsibility for.
- Remedies for breach – Consider the remedies available to the business under the contract if the vendor is in breach:
- Termination – We generally see contracts containing a provision allowing a party to terminate if the other party is in material breach. The threshold for material breach is high, and this is the ultimate remedy so consider whether the breach in question is sufficiently serious to terminate the agreement.
- Service Levels and Service Credits – It’s common for IT contracts to contain small, liquidated damages remedies for breaches of defined service levels, such as an uptime or latency commitment, or timeframes for responding to incidents. Consider reviewing service levels and service credits provisions to see if they are fit for purpose and a proportionate remedy in the event of each failure, and beware of service credits being the customer’s ‘sole remedy’ – i.e. their only remedy in relation to that breach, which could preclude the customer from seeking damages or invoking its rights to terminate.
- Statutory remedies and tools
- Repudiatory breach – In the absence of any material breach provisions in the contract, consider the common law right to repudiatory breach. Termination for breach is a complex area and advice should always be sought before terminating a contract in this way.
- GDPR controller rights – Also note that where a vendor is a ‘data processor’, the GDPR affords a ‘controller’ certain rights such as a reasonable right of audit with respect to the protection of personal data and an obligation on the processor to assist with the business’ compliance obligations. These should be considered where the contract doesn’t point to a clear right.
- Key dates for renewal – It’s not always commercially feasible to re-open signed contracts. However, consider key dates for renewal of certain contracts which may be an opportune time to revisit key risk areas.
Please feel free to get in touch with our Privacy and Digital, Technology and AI experts for support with negotiating IT contracts.