30 juillet 2024
The failure of millions of Windows computers due to a faulty update from the IT security company Crowdstrike on 19 July 2024 was a wake-up call for more cyber security. And it comes at the right time, as businesses face major challenges as new EU regulations come into force. Those who fail to recognise the signs of the times risk serious liability consequences.
When, on 19 July 2024, an estimated 8.5 million Windows computers worldwide were brought to a standstill by a faulty software update from Crowdstrike, the vulnerability of our connected world suddenly became apparent on an unprecedented scale. The incident affected companies in virtually every sector and caused billions of dollars in damage.
Companies should use this incident as a reminder of the importance of cyber security: On the one hand, there will soon be stricter legal requirements for cybersecurity. On the other hand, companies should review their contracts and insurance policies to ensure that cyber security incidents are adequately covered so that they do not suffer excessive financial losses in the event of an incident.
On 19 July 2024, Crowdstrike, a manufacturer of cyber security software that is popular with businesses and known to be reliable, released an update. An incorrectly programmed memory access caused Windows computers to crash repeatedly, preventing them from starting at all. As the update was rolled out to millions of computers at the same time, it caused a domino effect that prevented companies and organisations in key industries such as aviation, finance, retail, manufacturing, logistics and healthcare from doing business for hours. The consequences were widespread and devastating.
The incident is a reminder of the importance of cyber security for companies shortly before the implementation deadline for the NIS2 Directive on 17 October 2024. The NIS2 Directive, which is not expected to be implemented in Germany until spring 2025, significantly tightens the requirements for IT security.
In addition to the companies already categorised as "Critical infrastructure" (KRITIS) and subject to cyber security requirements, tens of thousands of other companies will have to comply with cyber security requirements in the future. This affects a large number of companies that are categorised as important or particularly important institutions. Important companies are those with as few as 50 employees.
In future, these companies will have to take more technical and organisational security measures and review them regularly. What is particularly important is that the responsibility for this lies explicitly with the management. Board members and managing directors must actively control and monitor the implementation of these measures and are even personally liable in the event of violations. It is therefore high time to take a close look at internal processes and emergency plans. Those who underestimate the requirements risk heavy fines and claims for damages.
The first step is to check whether a company falls under the new regulations. The German Federal Office for Information Security (BSI) offers a non-binding initial assessment for this purpose. However, the assessment can be difficult in individual cases because the law is by its very nature formulated in very abstract terms. If in doubt, it is advisable to seek legal advice from experienced IT law experts.
Once it has been established that a company is subject to the new cybersecurity requirements, it is necessary to consider what measures need to be implemented. This will depend on a number of factors, in particular the operator groups and sectors to which the company belongs. Legal advice from experienced IT lawyers should also be sought when identifying the measures.
The new requirements range from certain registration and incident reporting obligations to the establishment of training, risk management systems and security operation centres.
The new requirements range from certain registration and reporting obligations for incidents to the establishment of training measures and the implementation of risk management systems and security operation centres.
Finally, the measures must be implemented and regularly reviewed to ensure that they are still adequate.
Failure to do so can result in fines for the company and consequences for managers. Claims for damages may also be considered.
However, cyber security also needs to be considered in a broader context. The Crowdstrike incident shows that virtually anyone can be affected, and that even well-established, reputable software vendors can make mistakes. This can also have far-reaching indirect consequences.
When drafting their contracts, companies should therefore ensure that they negotiate a liability regime that takes particular account of cyber incidents at their own company or at a business partner. This includes appropriate exclusions of liability and indemnity clauses, as well as an appropriate definition of mutual obligations. In contracts with cybersecurity service providers, it is important to ensure that liability clauses also cover any consequential damages for business interruption caused; these consequential damages are often explicitly excluded, particularly in standard US contracts.
Enforcement mechanisms must also be put in place to effectively enforce the agreement in the event of a dispute. For example, if claims can only be brought in certain US courts, the cost of enforcement may be prohibitive for some smaller European companies.
IT security issues are particularly relevant in IT contracts (e.g. software purchase). However, the Crowdstrike incident shows that IT incidents can also have a significant indirect impact and affect contractual relationships that do not directly involve IT services. Accordingly, IT incidents should also be considered in other contracts.
It also makes sense to take out cyber insurance to be covered in the event of a claim. Depending on the policy, cyber insurance not only covers direct damages, but also reimburses some consultancy costs, such as legal fees, for the specific incident.
The Crowdstrike incident has highlighted how dependent we are on a functioning IT infrastructure. Cyber security is therefore a boardroom issue and needs to be embraced at the highest level. New EU regulations increase compliance requirements and liability risks. Businesses and their leaders need to make IT security a priority. IT security is no longer just a basic requirement for the sustainable operation of a business, but is also increasingly required for legal reasons. In addition, IT security considerations are permeating other business functions. For example, IT security must be taken into account when drafting contracts and selecting insurance policies.