Businesses, banks, hospitals and airlines were among the organisations that suffered serious disruption last week when a faulty security update caused Microsoft Windows computers to crash around the world.
The global IT outage caused by the update from cybersecurity firm CrowdStrike raises questions about who is responsible when an IT issue leads to business interruption. It shines a light on how quickly problems can escalate and just how vulnerable tech firms can be.
The outage is a wake-up call for firms, who need to understand their liabilities and have a plan for managing them if a problem arises with their service. In another incident in 2018, for example, a cyberattack at Bristol airport caused flight information screens to fail for two days and led to a dispute between the airport and its IT service provider over the limits of the provider’s responsibility.
The CrowdStrike incident is an extreme example of a technology business finding itself in the firing line. But suppose you were an app developer whose app became unavailable because of problems with a hosting platform such as Google Play or the Apple App Store. Who would be responsible for a customer’s loss of business?
"The outage is a wake-up call for firms, who need to understand their liabilities and have a plan for managing them"
A company that relies on that app to provide sales might want compensation for the loss of business. The app developers may have wanted a contract with the platform that holds it to account if it has problems, but small companies find it difficult to insist on contract clauses when dealing with the tech giants.
As in the Bristol Airport case, another vulnerability for tech firms lies in a lack of clarity around responsibilities. This can lead to trouble for software developers if, for example, updates are made available for customers and things go wrong. If no clear plan has been put in place to back up files, this can be the moment when both the developer and the customer realise that the other hasn’t been keeping badly needed back-ups.
If there is no written agreement in place to specify that the developer will handle the back-ups, you might think they are in the clear. But that’s not always the case and if they have done anything that could suggest they are backing up files or have unintentionally hampered a customer’s back-ups, they could be in a difficult position.
To avoid these issues, tech companies should look very closely at their contracts to identify where they are vulnerable. Where possible they should make sure that they pass liabilities along to suppliers or customers. Where this isn’t possible, a sensible conversation with the customer is needed and insurance can provide protection for a business against otherwise potentially catastrophic losses.
"Tech companies should look very closely at their contracts to identify where they are vulnerable"
The tech firm should explain that it understands how critical its service is to the company, but be clear as to the limits of its liability.
The two parties need to set sensible limits of liability and get clarity about their responsibilities. That enables a tech firm to ensure that its insurance cover is fit for purpose and aligned with its potential exposure under its contracts, giving it peace of mind.
Markel’s Contract Review service is designed to help its tech policyholders to understand their liabilities and make plans to tackle them.