Revisiting Service-Level Agreements & Contractual Remedies in the Wake of the CrowdStrike Incident

It may sound like something out of a sci-fi film—but it happened in real life. One faulty software update caused debilitating outages worldwide. 

From hospitals to banks and airlines, many Fortune 500 businesses across the globe were impacted by the CrowdStrike IT outage. This outage took down a variety of Microsoft-based software and caused substantial financial losses and massive operational disruptions, paralyzing critical services and functions. Affected companies lost an estimated average of $43.6 million each. The repercussions were far-reaching, with industries relying on CrowdStrike's services scrambling to restore normalcy amidst the chaos. 

This incident has vividly highlighted the crucial need for businesses to thoroughly examine and fortify their service-level agreements (SLAs) with IT service providers. Standard tech E&O coverage limits can prove to be woefully inadequate in the face of such an extensive failure , underscoring the necessity for higher coverage limit layers, and more comprehensive SLAs among consumers of IT services. With affected organizations suffering such catastrophic financial losses, it’s clear that SLAs must go beyond merely covering the contract fee. Moving forward, businesses should insist on SLAs that provide meaningful protections and remedies to help mitigate revenue loss and business interruption. By ensuring these agreements address such catastrophic IT failures, companies can safeguard their interests and better protect future risks.

Reviewing & Strengthening SLAs

SLAs are foundational agreements that define the level of service expected from IT providers, including performance metrics, uptime guarantees, and remedies for service failures. However, many SLAs cap the provider’s liability at the value of the contract or fee agreement. This limitation can leave businesses vulnerable in the event of a significant outage or service failure. 

Key Considerations for SLA Review:

Liability Caps

• Assess the adequacy of liability caps. Instead of accepting a cap tied to the value of the contract, negotiate for higher limits that better reflect potential losses.
• Consider clauses that allow uncapped liability in cases of gross negligence or willful misconduct by the service provider.

Remedies & Compensation

• Ensure the SLA includes comprehensive remedies for service failures, including financial compensation for business interruptions and additional costs incurred due to the provider’s failure.
• Include provisions for expedited recovery and support in the event of a disruption.

Force Majeure & Exclusions

• Scrutinize force majeure clauses and exclusions to understand the circumstances under which the provider is excused from liability.
• Negotiate terms that limit the scope of these exclusions to ensure the provider remains accountable for avoidable disruptions.

Addressing Revenue Loss & Business Interruption

In light of this global incident, businesses must consider the broader implications of service disruptions on their revenue and operations. This includes examining potential avenues for recovery beyond the confines of SLAs.

Strategies for Mitigating Revenue Loss:

Comprehensive Insurance Coverage (to the extent available in the market)

• Beyond tech E&O insurance, consider obtaining business interruption (BI) and dependent business interruption (DBI) coverage. These policies can help cover revenue loss and additional expenses incurred during a service disruption.
• Ensure the definitions of covered events in these policies include non-malicious outages and system failures, not just cyberattacks.

Disaster Recovery & Business Continuity Planning

• Develop and regularly update disaster recovery and business continuity plans to minimize downtime and mitigate losses in the event of a service disruption.
• Conduct regular drills and audits to ensure the effectiveness of these plans.

Vendor Management & Redundancy

• Implement stringent vendor management practices to monitor and evaluate the performance and reliability of IT service providers.
• Consider redundancy measures, such as secondary providers or backup systems, to ensure the continuity of critical services during an outage.

Legal Recourse & Future Considerations

CrowdStrike's global It outage underscores the critical need for well-defined and enforceable contractual terms that offer sufficient remedies for business disruptions.

Legal & Contractual Actions:

Review Existing Contracts

• Conduct a thorough review of all contracts with IT service providers to identify any gaps or weaknesses in the current terms.
• Engage legal counsel to renegotiate contracts, ensuring that the terms provide sufficient protection and remedies for service failures.

Prepare for Litigation

• In cases where significant losses have occurred, be prepared to pursue legal action to recover damages. This may involve proving negligence or breach of contract by the service provider.
• Gather and document evidence of the financial impact and operational disruption caused by the outage to support any claims.

Safeguarding Against Future Disruptions

The CrowdStrike incident is a striking reminder of the importance of well drafted SLAs and comprehensive insurance coverage in managing professional liability risks. Businesses must proactively review and strengthen their contracts with IT service providers to ensure they have adequate remedies for service failures. By doing so, they can better protect themselves from the financial and operational impacts of future disruptions.

Moving forward, businesses should insist on SLAs that provide necessary protections and remedies for significant revenue loss and business interruption. By ensuring these agreements address such catastrophic IT failures, companies can safeguard their interests and mitigate future risks. Tech E&O insurance, while beneficial, may not always cover the extensive damages experienced, making comprehensive SLAs even more critical.

At Flow Specialty, we understand the intricacies of navigating these challenges and deliver clients comprehensive solutions and valuable insights. Our extensive market offerings and rapid quoting capabilities ensure quick and seamless coverage for tech professionals. We provide client-ready proposals and in-depth insights, enhancing decision-making with clarity and confidence. Secure policies effortlessly with our internal AI-powered tools and streamlined automation processes while benefiting from personalized attention and exceptional client service.

Help your clients bolster the stability and resilience of their businesses so they can focus on what they do best—driving progress to transform the future.

Explore our range of products and appetite.