On July 19, 2024, CrowdStrike, which is widely regarded as a leading global provider in the cybersecurity field, released an update for one of its security products. This update had a defect which caused an IT outage [1] which has been described as the largest IT outage in history.[2] In response to this unprecedented event, Fasken’s Information Technology team is producing a series of bulletins detailing how organization’s can manage legal risks associated with IT outages.
Regulatory guidance and industry standard frameworks provide structured approaches to addressing common risks, and helpful (and, in some cases, mandatory) reference points for managing and mitigating that risk. By adhering to established guidelines and implementing common frameworks, service providers and customers can align expectations with respect to desirable and/or necessary contractual standards, as well as enhance risk management strategies, improve operational efficiency, protect against regulatory and commercial liability and turn compliance into a competitive advantage.
Using Regulatory Requirements and Guidance to Mitigate Risk
Industry-specific regulators are increasingly focusing on organizational IT and data practices, a shift driven by the increasing importance of data security and the rapidly expanding vectors of cyber threats.
The financial services industry is a prime example of a critical industry with regulators that actively provide guidance on IT risk management, and are prepared to scrutinize organizations that fall short of meeting such guidance.
For example, the Office of the Superintendent of Financial Institutions (“OSFI”) has established various guidelines—Guideline B-10 (Third-Party Risk Management) and Guideline B-13 (Technology and Cyber Risk Management)—that, among other things, set out expectations for how federally regulated financial institutions (“FRFIs”) are expected to identify and manage IT and cybersecurity risks.
One element of Guideline B-10 is particularly noteworthy in light of the CrowdStrike incident: the requirement to assess concentration risk. Concentration risk is a multi-modal risk that occurs at both the institutional and system level. Institution-specific concentration risk relates to risk of loss or harm to an FRFI resulting from overreliance on a single supplier, subcontractor or geography for multiple activities. Systemic concentration risk, meanwhile, relates to the risk arising from concentration in the provision of services by one supplier or geography to multiple FRFIs.
The CrowdStrike outage offers a different lesson from the perspective of systemic concentration risk. CrowdStrike is a leader in endpoint protection with close to a quarter of the market share, and it has been reported that the outage affected 70 per cent of Fortune 500 companies across different sectors and around the world. While Guideline B-10 advises FRFIs to be mindful of the effects of their service disruption to the broader system “to the greatest extent possible,” it does not provide meaningful guidance as it pertains to their role in regard to systemic concentration risk beyond that.
Note that, in addition to OSFI, the CrowdStrike outage should serve as a reminder that service providers and user organizations would do well to consider and, as appropriate, heed regulatory guidance relating to issues arising from IT outages. Provincial regulatory bodies that oversee critical industries are increasingly providing guidance or imposing compulsory requirements with respect to IT management.[3]
Using International Standards and Frameworks to Align Expectations
Adopting and implementing widely-accepted international standards also reduces organizational risk from IT outages by aligning service providers and customers around a common set of tested and approved requirements and best practices.
Consider ISO/IEC 27001, a widely adopted and recommended standard for information security management systems (“ISMS”). It provides a framework for managing and protecting sensitive information, including aspects of risk management related to IT outages. By understanding these risks, organizations can implement appropriate controls to mitigate them. With human error being one of the most frequent causes of IT outages and downtime (as was the case with the CrowdStrike incident), organizations that receive ISO/IEC 27001 certification demonstrate that they have in place ISMS processes and protocols that could help avoid critical IT outages, including processes and protocols related to business continuity planning, regular testing and maintenance, incident management and employee training, among other things.
Similarly, the National Institute of Technology (“NIST”) Cybersecurity Framework (“CSF”) is a voluntary guideline for managing and mitigating cybersecurity risks. It is useful for Canadian organizations looking to implement comprehensive IT risk management strategies, including responses to outages. NIST released an updated version of the CSF (referred to as “CSF 2.0”) earlier this year, and it is now explicitly designed to help all organizations—not just those in critical infrastructure—to manage and reduce risks. The CSF 2.0 is organized by six Functions—Govern, Identify, Protect, Detect, Respond, and Recover—each of which contains detailed guidance and specific actions for organizations to take in order to manage risk. With cybersecurity representing one of the most significant enterprise-wide risks facing organizations, service providers that implement and adhere to CSF 2.0 can demonstrate to customers that they have fulfilled a duty of care to protect against data loss in the event of a critical IT outage.
Notably, the CSF can be integrated with other standards and frameworks, including ISO/IEC 27001 and ITIL (Information Technology Infrastructure Library), to provide a more comprehensive approach to managing risk and mitigating IT outages. The level of protection, and associated considerations, should be addressed as appropriate for the particular circumstances of the service provider and user organization.
Keep an eye out for additional coverage on how to prepare for and deal with the fallout of IT outages in the bulletins to follow in this series.
