CrowdStrike’s Aussie customers must agree to offshore arbitration in compensation battle

Despite the catastrophic outage that cost businesses billions of dollars, CrowdStrike’s contracts will make it tough for Aussie clients to extract compensation.

Jared Lynch, David Ross and Joseph Lam

4 min read

1:03PMJuly 22, 2024.

Updated 11:51AMJuly 23, 2024

The Australian Business Network

Sydney airport chaos after a global tech outage caused by CrowdStrike’s botched software upgrade on Friday.

CrowdStrike’s Australian customers have “forgone” their rights to pursue compensation of Friday’s global outage in the Australian courts, according to one of the nation’s top law firms.

A botched software upgrade from the Texas-based cybersecurity firm is expected to cost businesses billions of dollars globally, with estimates in NSW alone topping $200m, after big banks, hospitals, retailers and airlines were faced with what is known as “the blue screen of death”.

But James North, head of technology, media and communications at Corrs Chambers West-garth, said extracting compensation for losses would be difficult.

He said many of CrowdStrike’s customers must agree to New York governing law and arbitration in Singapore, “foregoing access to Australian courts in the pursuit of legal remedies”.

The ‘blue screen of death’ that rendered Windows-based computers useless.

A CrowdStrike spokesman has also declined to answer questions from The Australian about who will foot the damage bill.

“It is becoming clear that a large number of Australian businesses have suffered significant financial losses as a result of the CrowdStrike outage, including employing additional staff to reboot IT systems, and lost sales and revenue due to an inability to trade,” Mr North said.

“While the immediate focus has been getting their IT systems back online and clearing order backlogs, attention is now turning to whether the business can recover its losses from CrowdStrike or from their insurers.

“Australian businesses face a number of challenges in recovering consequential losses from IT vendors such as CrowdStrike.”

CrowdStrike earned more than $US2.02bn ($3.03bn) from companies globally last year, according to Gartner, making it the second-biggest provider of what is known as endpoint protection, with a 14.7 per cent share of the market. Microsoft – which suffered a separate glitch on its 365 suite of products and Azure cloud platform on Friday – is the biggest player, with 40.2 per cent market share, earning $US5.5bn from companies globally last year.

In Australia, CrowdStrike earned more than $111m from companies last year, according to Gartner, with more than 25.23 per cent market share. This compared with Microsoft’s earning $138m from Australian companies for endpoint protection, making it the dominate provider locally with a 31.4 per cent market share.

Mr North said CrowdStrike’s standard terms limited its liability for contractual breaches to a refund of fees paid by the customer and excludes liability for loss of revenue and other consequential losses. “Well advised customers will have negotiated better liability arrangements with CrowdStrike, but for many customers, their best avenue of recovery may be under the Australian Consumer Law, ” he said.

Mr North said statutory guarantees were available to Australian businesses in certain circumstances, in particular where the goods or services purchased are valued at $100,000 or less.

“These include a guarantee that any services will be provided with due care and skill,” he said.

“Such guarantee may be breached in circumstances where an IT vendor introduced coding errors into a software update or failed to properly test the update before deploying it on to its customer’s IT systems.

“Importantly, a business may recover its ‘reasonably foreseeable losses’ as a result of a ‘major failure’ by a vendor to comply with a statutory guarantee. In certain circumstances, this may include trading and other financial losses.”

'Conversation needs to be had': ANU Professor discusses the recent IT outages

Mark Wilks, head of commercial litigation at Corrs Chambers Westgarth, also urged CrowdStrike customers, which include the big banks, Woolworths, Coles, Qantas and Telstra, to check their business insurance.

“While business interruption insurance is unlikely to respond, as it relates to damage to physical plant and equipment through defined acts, they should also check the terms of their cyber insurance policy,” he said.

“CrowdStrike has stated that this incident was not caused by a malicious third-party actor. (But) some cyber insurance policies also cover loss arising from IT systems outages more generally.”

Major insurers could be on the hook for cyber losses arising from the outage, with QBE, IAG, Chubb and Lloyds all pointed to by industry figures.

The Insurance Council of Australia met early on Monday to discuss the crisis, with a spokesman noting insurers would need to scrutinise individual policies to determine coverage.

But Marsh Pacific head of cyber Gill Collins warned “a lot” of insurers were potentially exposed to losses from the crisis.

“We find 84 per cent of large corporations take out cyber insurance,” she said. “There will be some covered and some won’t.”

Ms Collins noted the Colonial Pipeline hack in 2021 was an example for the kind of short sharp crisis, which resulted in a circa $US15m ($22.5m) direct claim on insurers. “This is even bigger because of the number of systems impacted,” she said.

While several law firms on Monday told The Australian it was far too early to consider a class action, the Australian Competition & Consumer Commission warned most companies would struggle to use consumer law to take action against CrowdStrike as they acquired its services via other businesses.

“It is these businesses that may be obliged to provide a remedy to consumers impacted by the outage under the Australian Consumer Law’s consumer guarantees,” an ACCC spokeswoman said.

But the ACCC noted a “careful assessment of all the circumstances of the alleged failure” was needed to determine if compensation could be claimed. “Only a court or tribunal can make a determination as to whether there has been a failure to comply with a consumer guarantee, and if so, any compensation amounts a consumer may be entitled to, on a case-by-case basis,” she said.