Recently, an investigation of the CrowdStrike board of directors was launched to determine if its members “failed to manage CrowdStrike in an acceptable manner, in breach of their fiduciary duties to CrowdStrike, and whether CrowdStrike and its shareholders have suffered damages as a result.” The investigation is related to the massive IT outage in July that involved a defective software update distributed by CrowdStrike that resulted in major disruptions to airlines, financial institutions, retail outlets and many other businesses.
The risk that corporate board members could be sued and found personally responsible for incidents such as these or other errors that are made in the normal operations of a company has increased significantly in recent years. Unfortunately for CrowdStrike, the company is facing shareholder lawsuits seeking damages as well as potentially more lawsuits from businesses that were hurt by the IT outage, such as airlines whose computer systems went down and had to reimburse stranded passengers who couldn’t board flights.
Just yesterday, addressing lower-than-forecast revenue and a $.45 adverse hit to earnings, Delta Air Lines’ CEO Ed Bastian told Yahoo Finance: “We had 86 great days, and we had five days that were impacted, caused by CrowdStrike.” To underscore where the blame lies, he later added, “People know that. That was not something that was attributable to our business or our performance, it was something that was done to us.”
It is reasonable to expect that with the increased use of technology in business operations, incidents such as what happened to CrowdStrike will happen with more frequency. The rising threat of cybersecurity breaches and the unknown nature of potential problems with increased use of artificial intelligence in business operations heighten the risk of future lawsuits. In light of these uncertainties, corporate board members might consider the following:
• Conduct a technology audit. It might be a good time for corporate boards to re-evaluate any technological transformation plans that have been completed or are in the works. Are the company’s technology systems, including hardware, software, network architecture and data governance apparatus in alignment with each other? Are there technological upgrades missing? How quickly can the technology provider fix problems? Are there backup plans in case systems fail? Having a record of such an audit will help prove that the board was actively involved in protecting the company from cyber risk even if an unfortunate situation unfolds.
• Adopt cybersecurity best practices. The government suggests companies do the following to avoid data breaches and other cybersecurity risks.
- Train employees to use multi-factor authentication, avoid phishing emails and suspicious downloads.
- Secure all Wi-Fi and communication networks
- Use antivirus software and keep all software updated
- Monitor and manage Cloud Service Provider (CSP) accounts
- Secure, protect, and back up sensitive data
• Review and upgrade D&O insurance and cyber risk insurance coverage. Insurance coverage that might have been adequate two years ago is likely outdated now. Seeking advice on what is appropriate for today’s risk environment would be prudent. Making sure coverage extends to the failures of third-party suppliers, and problems that occur in international jurisdictions could be very important.
