Lessons Learned from the CrowdStrike Outage: 5 Strategies to Build Cyber Resilience

Lessons Learned from the CrowdStrike Outage: 5 Strategies to Build Cyber Resilience
Cyber Resilience

03 of 11

This insight is part 03 of 11 in this Collection.

August 1, 2024 8 mins

Lessons Learned from the CrowdStrike Outage: 5 Strategies to Build Cyber Resilience

The CrowdStrike incident has shown organizations need to be prepared for possible cyber incidents and widespread business interruption due to interconnectivity. Read more about how to build cyber resilience effectively.

The global CrowdStrike IT outage demonstrated that even non-malicious cyber incidents may have serious repercussions. Events like these serve as a wake-up call for businesses to review their cyber resilience and be prepared for more significant incidents in the future. 

Key Takeaways
  1. The CrowdStrike event was a global warning, underscoring the urgent need for robust cyber resilience strategies in the face of growing cyber threats and vulnerabilities.
  2. Though the event was not the result of malicious actors, there are practical lessons for businesses to learn on operational continuity, crisis management and cyber resilience.
  3. Businesses should remain vigilant against opportunistic cyber crime following CrowdStrike, as failure to do so may result in a variety of costly exposures.

On July 19, 2024, a security update issued by CrowdStrike caused an IT outage, disrupting global business operations. While initial fears of a major cyber attack proved to be unfounded, the event’s impact was significant, demonstrating potential vulnerabilities in organizations’ operational and cyber resilience.  

In response to the CrowdStrike outage, businesses should review their crisis management frameworks, with a focus on these five lessons learned to build sustained cyber resilience. Doing so will help businesses identify, assess, mitigate and transfer cyber risk and be better prepared to recover should an attack occur. 

1. Put Incident Response Plans to the Test

Having a well-prepared and defined incident response plan is crucial for mitigating the impacts of IT disruptions and cyber attacks. However, the truest measure of plan effectiveness is how it performs when tested in real-world scenarios.  

The CrowdStrike outage provided businesses with an opportunity to evaluate the efficacy of their plan and consider what improvements can be made. A key factor of an incident response plan is knowing when it should be activated. In this case, the outage demonstrated the need for clear activation thresholds that are understood by high level decision-makers in the organization, who are then able to assess the situation and trigger the plan appropriately. This is essential for minimizing business impact and maintaining operations. 

During an Aon webinar held one week after the event, 83 percent of those polled reported having an incident response plan in place, and 76 percent said it performed well following the CrowdStrike outage. These figures are encouraging, but also highlight a potential resilience gap that could become critical when a threat is more severe or consequential. Businesses that take the time to run a risk assessment to review how their operations responded to the CrowdStrike outage may be better positioned to handle the next one.  

Even for organizations not directly affected by the outage — of those polled, 32 percent were indirectly impacted, compared to 30 percent who were directly impacted — there are lessons to be learned on potential supply chain vulnerabilities. This underscores the need to review third party relationships and interdependencies when developing and improving contingency plans. 

Quote icon

Incidents like the CrowdStrike outage highlight the importance of evaluating how well crisis management frameworks perform under pressure. Organizations need to consider regular crisis management testing to identify and address vulnerabilities.

David Molony
Head of Cyber Solutions, Europe, the Middle East and Africa
The Risk Landscape 

Consider the risks that may have been introduced into the environment as a result of this outage, and similar vulnerabilities that could manifest in future cyber incidents.

  • Financial Loss

    This could be in the form of direct revenue loss or costs incurred to resolve the issue and time and revenue lost while get back online. 

  • Susceptibility to Cyber Attacks

    Though the CrowdStrike outage was not a cyber attack, businesses should be prepared for a wide variety of opportunistic cyber attacks in the aftermath.

  • Reputational Damage

    Customer trust may be impacted if service disruption was severe or consequential. Market position may also be impacted.

2. Consider Legal Implications and Consequences  

Accurately assessing the type and extent of loss is foundational to a successful mitigation and recovery strategy. This should encompass initial revenue losses as well as business interruption and potential future losses, including legal and regulatory exposures. It’s crucial to identify these losses early on and monitor them consistently, as they will significantly influence overall recovery strategies.   

Consider the potential and actual impact of the outage on customers, clients and employees, and implement appropriate mitigation steps. Beyond the financial repercussions, failing to address these impacts can lead to reputational damage or loss of trust, thereby increasing the risk of claims. For instance, if customers are unable to access their data or the services they pay for, it is imperative that appropriate steps are taken to mitigate this impact.  

Customer-facing communications must be managed with care, ideally guided by legal advice and input from key C-suite decision-makers. Communication that is responsive, transparent and legally compliant maintains trust and manages expectations. Consider also what contingencies are in place for employee communications if, for example, Microsoft Teams and Outlook are compromised simultaneously. Addressing an overreliance on a single provider by ensuring there are back-up communication channels is one positive outcome from CrowdStrike that can improve cyber resilience.  

3. Understand Cyber Coverage and Claims  

The insurance risk transfer market’s initial response following CrowdStrike was to classify it as a system failure event. This distinction is critical, as system failures are typically not a peril under cyber insurance policies. Coverage, however, could be available under an organization’s other policies, including errors & omissions and directors and officers (D&O) liability. There may also be potential professional indemnity exposures, for example, if a required service has not been delivered as required.  

Events like the CrowdStrike outage should be viewed broadly, considering all possible insurance implications. For instance, D&O policies could be triggered if directors and officers are held liable for failing to manage the risks associated with the incident effectively. Relying solely on cyber insurance policies in the event of a large-scale IT outage may be insufficient when managing complex risk exposures. 

Global CrowdStrike IT Outage: Aon Observations Webinar

Source: Global CrowdStrike IT Outage: Aon Observations Webinar

4. Define Claims and Gather Evidence 

After the initial incident response, including the implementation of crisis management plans and due diligence for return to business, the focus will likely shift to recovery and claims. Insurers will require evidence, detail on the impact and responses to the incident. To do this effectively, it’s important to:

  1. Record the time of impact of the event on your systems. In the case of CrowdStrike, this will be to document the timing of the software update on systems.
  2. Identify impacted systems. Observe the key platforms, systems or endpoints that have been affected and how this has impacted business operations.
  3. Document operational impacts with precision. Create a record of business areas no longer able to perform key duties, noting duration of impact and what mitigation steps were taken.
  4. Assess your policy terms and conditions. Review key areas of coverage in your policy to assess how waiting periods, retentions and other features may apply.
  5. Address internal priorities and external communications. Define key stakeholder roles for the duration of the claims process. Ascertain and agree on messaging.
  6. Quantify the impact. Capture financial losses and log incremental expenses incurred with data and documentation for the claim process.

It is the responsibility of the insured to present their losses to insurers. 

5. Strengthen Business Resilience in Response to the CrowdStrike Outage 

Conducting a thorough risk assessment in the aftermath of the CrowdStrike outage is essential. This will help organizations identify and understand vulnerabilities in existing incident response plans, as well as devise strategies to mitigate future incidents. Understanding organizational risk exposure is the first step toward effective mitigation. 

Quote icon

Following the CrowdStrike outage, the biggest areas of focus for organizations that are considering how to enhance their cyber resiliency should be business continuity planning and financial impact analytics.

Brent Rieth
Head of Cyber Solutions, North America

Although the business and operational impact of CrowdStrike proved to be limited for many organizations, this may not be the case for future incidents. Ensuring long-term cyber resilience means learning from such incidents and implementing these lessons in future plans. By proactively addressing vulnerabilities and improving resilience strategies, businesses can better prepare for and mitigate the impacts of future events. 

Learn more about how organizations can build sustained cyber resilience by identifying, assessing, mitigating and transferring cyber risk, while still safeguarding their balance sheets

 

Key Contacts

David Molony
Head of Cyber Solutions, EMEA
[email protected]

Adam Peckman
Global Cyber Risk Consulting Leader and Head of Cyber Solutions, APAC
[email protected]

Brent Rieth 
Head of Cyber Solutions, North America
[email protected]

Sergio Torres
Financial & Professional Services, Cyber & Crisis Management, LATAM
[email protected] 

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.