Enhancing Business Resilience: Lessons from the CrowdStrike Outage
On 19 July 2024, a bug in a software update deployed by endpoint protection and cyber-attack detection company CrowdStrike triggered a global IT outage of unprecedented scale. The repercussions of this incident were felt far and wide, with Australia bearing a significant financial impact estimated to surpass A$1 billion.
In the immediate aftermath, the focus was understandably on recovering from the financial losses incurred. However, it is now crucial for boards and executives to shift their attention towards the long-term implications of the outage. The increased scrutiny and oversight from both governments and regulators demand a closer examination of the incident and its implications.
In Australia, the lack of a specific regulator for the IT industry sets it apart from other sectors. While IT vendors like CrowdStrike must adhere to general legislation such as the Australian Consumer Law (ACL) and Privacy Act 1988 (Cth), there is no sector-specific regulatory oversight in place. This regulatory gap highlights the need for a more robust framework to govern the IT industry effectively.
The Australian Government has recognized the importance of cybersecurity with the release of the 2023-2030 Australian Cyber Security Strategy. However, the Security of Critical Infrastructure Act falls short in addressing general IT outages like the one caused by CrowdStrike, despite its impact on critical infrastructure in Australia. This regulatory disconnect underscores the need for more comprehensive measures to safeguard against similar incidents in the future.
Boards and executives must be vigilant in assessing the risks posed by third-party systems that could potentially disrupt their business operations. Regulatory bodies like the Australian Prudential Regulation Authority (APRA) have already taken steps to enhance risk management frameworks and business continuity strategies for entities under their purview. The implementation of CPS 230, effective from 1 July 2025, underscores the importance of addressing vulnerabilities in operational risk management, particularly in light of increasing reliance on service providers.
The global economy has witnessed the far-reaching consequences of IT outages, prompting governments and regulators to reevaluate their approach to digital resilience. While Australia has taken steps to bolster its cybersecurity measures, the need for stronger regulation in the technology sector has been emphasized by industry experts and policymakers alike.
In the wake of recent outages, such as the Optus mobile network incident, the Australian Government has shown a commitment to improving digital resilience. Industry standards enforced by regulatory bodies like the Australian Communications and Media Authority aim to enhance communication protocols during major outages, signaling a proactive approach towards safeguarding the digital infrastructure of the country.
While regulatory efforts in Australia are commendable, the global landscape lacks a unified approach to regulating digital resilience outside the financial sector. The European Union’s Digital Operational Resilience Act, slated for implementation in January 2025, sets a precedent for ensuring operational resilience in the banking and insurance sectors. However, broader regulation of digital resilience remains a distant prospect, leaving businesses to rely on internal governance measures to mitigate risks effectively.
To bolster digital resilience and mitigate the risks associated with IT outages, businesses must prioritize the following considerations:
Agreements with IT vendors: Businesses should reassess contract terms to strike a balance between risk and reward, negotiating favorable liability positions where possible. Statutory consumer guarantees and unfair contract terms protections under the ACL can provide additional safeguards for businesses dealing with IT vendors.
Technology governance: Sound governance practices, including safe coding protocols and robust testing procedures, are essential to prevent future outages caused by coding errors. Investing in data redundancy measures and manual workarounds can help mitigate operational impacts during IT disruptions.
Insurance arrangements: Businesses should review their insurance policies to ensure coverage for losses stemming from IT outages, whether through cyber insurance or business interruption insurance.
Class actions: The presence of arbitration clauses in customer agreements can pose challenges for businesses seeking legal remedies in the event of IT outages. Aligning with New York governing law and Singapore arbitration may limit access to Australian courts, warranting a strategic approach to potential legal disputes.
Regardless of their size, all businesses should conduct a comprehensive risk assessment of their technology environment. This includes identifying critical systems, negotiating contract terms for improved liability positions, and implementing redundancy measures to enhance operational resilience.
The evolving landscape of digital resilience underscores the need for proactive measures to safeguard against IT outages and cyber threats. By prioritizing technology governance, regulatory compliance, and risk management, businesses can enhance their resilience in the face of unprecedented challenges. As governments and regulators continue to address the implications of IT disruptions, businesses must remain vigilant and adaptive to navigate the complex terrain of digital resilience effectively.