CrowdStrike problems threaten significant supply chain disruption and secondary impacts
Firms urged to refocus on crisis plans
The Crowdstrike outage could cause significant global supply chain problems and impact secondary firms, underscoring how Single Point of Failure (SPoF) technology can cause widespread disruption, observers say.
Meanwhile, the IT outage that affected companies around the world last week is set to lead to an “insurance catastrophe”, warn brokers, law firms and rating agencies.
Insurer CyberCube confirmed that the global IT system outage was triggered by a faulty software update from CrowdStrike, causing widespread disruptions across various Windows operating systems.
It said companies using CrowdStrike’s Falcon software on machines running Windows OS will be primarily affected by the event. The firm pointed out that many of CrowdStrike’s customers are SPoFs. So CyberCube also warned that companies relying on any one of these SPoFs may be secondary victims of the event, even if they do not use CrowdStrike and Windows directly.
“Additionally, CrowdStrike Falcon is deployed by managed security service providers (MSSPs) on the networks of other – typically smaller – organisations they oversee. These organisations using such MSSPs are also secondary victims of the event. Notably, financial institutions, healthcare providers, and transportation networks have all experienced disruptions,” it added.
The company said analysis from its SPoF Intelligence tool identifies that large companies in manufacturing, IT, healthcare and financials firms are the most likely to be exposed. Examination of exposed limits shows an outsize exposure in the aviation, banking and retail sectors.
CyberCube said that affected organisations will now take a series of immediate remediation and recovery steps. Companies with the IT resources to handle large-scale incidents are expected to recover faster. But there may be ongoing disruptions as companies implement patches and verify their systems’ stability, said CyberCube.
A lack of IT staff at small and medium-sized companies could delay the remediation process. “Companies lacking robust contingency or IT backup plans could also face additional disruptions,” added CyberCube.
Parcelhero warned that the outage could have “serious” knock-on effects for global supply chains and deliveries.
“Time will tell the extent of disruption to international trade and industry caused by the global IT issue,” said Parcelhero head of consumer research David Jinks.
“Delayed flights and issues with IT systems at airports will impact airfreight. Not only will slots for dedicated airfreight flights be disrupted, but many international goods and packages are transported not only in specially designed cargo planes but also in the cargo holds of passenger aircraft,” he said.
Meanwhile, international ports have been impacted by the issues. Poland’s largest container terminal, the Baltic Hub in Gdansk, asked companies to stop sending containers to the port.
Similarly, across the UK and globally, there are reports of many delayed and cancelled rail services. “In the UK, for example, Avanti West Coast, Great Western Railway and Southern were among the major operators reporting problems. Freight trains have to be threaded between passenger services and so are likely to face disruption,” said Jinks.
Retailers also experienced problems. The supermarket chain Morrisons reported payment issues, although these were largely resolved by mid-morning on 19 June. The UK bakery and coffee shop chain Gails also had to suspend in-store purchases. Perhaps more concerningly, UK community pharmacies were impacted by the outage.
Barnett Waddingham said it is important to focus on supply chain risk management following the outage, stressing that organisations not directly involved could still be disrupted by problems at a key supplier.
“Many organisations may have not considered that significant players such as Microsoft and CrowdStrike could have caused the global disruptions… The cost of lost business and service disruption will bring business continuity and resilience into sharp focus for many organisations today, particularly those who don’t have plans and practiced teams in place,” said Karla Gahan, head of resilience at Barnett Waddingham.
“For organisations who have invoked their plans, regular, clear communication with stakeholders will be key. The way you communicate during a crisis or disruption determines your reputation now and in the future,” she added.
Mishcon de Reya recommends a number of steps that should be taken in the first hours and days following such events to maximise the chances of a successful recovery.
The first is to try to find a technical IT fix for any problems. “It is important to focus on this before looking at who is to blame and what legal remedies may be available – but it’s also important to keep track of steps taken and any costs incurred, as these may form part of a damages claim later,” it said.
Firms are also advised to use all available channels to communicate with their stakeholders. “If unable to contact customers directly, social media and other comms channels can be used to get more general updates out. It’s important to let customers know which systems may be affected, what is being done to try to get systems back online, and how they can contact the organisation for further information,” said the law firm.
But it said it is important to avoid become a hostage to fortune by giving information based on incomplete data, or making promises about when systems will return to normal. It recommends steering clear of any statements that might be deemed to accept liability for outages.
In addition, regulated businesses may need to notify their regulators, for example where customers are unable to access accounts for a protracted period, added the law firm.
It stressed that it is important to remain vigilant and make sure bad actors don’t exploit the incident to gain systems access. “CrowdStrike have already issued guidance to only rely on information about fixes from trusted sources, so ensure teams are aware of that and that they are not relying on unsolicited advice that may be coming from bad actors. Organisations can use manual or analogue workarounds where possible, but should ensure they don’t compromise safety and security as this could create further problems down the line, particularly with regulators,” said Mishcon de Reya.
It then recommends an immediate review of contractual arrangements. “There is a risk of additional liability by failing to comply with contractual requirements in the event of IT outages. Businesses should check B2C and B2B contracts and follow any pre-agreed processes,” it said.
It said firms should check the following:
- Whether they are required to notify B2C or B2B customers or other third parties such as regulators in the event of service interruption, system downtime or force majeure.
- Whether there is potential for a data loss incident, and if so whether companies need to take steps to notify third parties (including data regulators and data subjects).
- If they are required to make fixes or alternative back-up systems available, ensure these are put in place.