A Note to In-House Counsels: Digital Resilience in the Wake of the CrowdStrike Outage
Dear In-House Counsels,
In the wake of the recent service interruptions caused by the significant outage at CrowdStrike, organizations across the globe have been prompted to scrutinize the resilience of their own systems and vendor relationships. The consequences of the outage were serious and far-ranging: that Delta has hired Boies Schiller Flexner to represent the company in seeking damages it incurred in connection with the outage (amounting to approximately $500 million of costs to the airline) speaks exactly to that point.
As an in-house lawyer, you sit at the crossroads of legal oversight and strategic risk management.
Given last week’s crisis, it’s imperative to ask yourself: Has my organization conducted a thorough risk assessment on my key vendor contracts recently? Are we aware of the legal issues relating to potential similar incidents that may occur in the future? If your organization provides Software-as-a-Service (SaaS) products, are your teams aware of performance obligations and in compliance with any applicable security and compliance standards?
The outage serves as a stark reminder of the interconnected nature of our digital ecosystem and the cascading effects a single vendor's issues can have across multiple businesses. It's a clear call to action for in-house counsels to ensure that their organizations are legally protected and operationally prepared for such events.
One critical area to address is the presence of specific clauses in your vendor contracts that can mitigate the impact of outages and other disruptions. These clauses typically include business continuity plans and disclaimers of warranty, each serving as protection in unforeseen circumstances. But the question remains: Are you fully aware of the protective measures laid out in your contracts? And perhaps more importantly, do you have the time and resources to conduct a comprehensive review?
In today's fast-paced business environment, it's common for in-house counsels to grapple with time constraints and resource limitations. A recent survey by global legal practice Dentons found that “46% of in-house counsel around the world report that their greatest challenge in supporting their organization’s revenue objectives is their team being stretched ‘too thinly.’” Accordingly, it can be a real challenge to maintain a detailed understanding of every clause in every contract.
However, with the advent of advanced legal technologies, time and resource constraints no longer have to be a limiting factor. If your outside counsel is attuned to your organization’s specific needs and equipped with AI-powered tools like Kira, they can expedite the review process of your vendor agreements, whether in-bound or out-bound. Kira's machine learning algorithms, combined with optional generative AI, are designed to automatically identify, extract, and summarize pertinent information from contracts, including those critical clauses related to business continuity, disclaimers, performance obligations, service levels, and more.
To illustrate how contract review platforms can be leveraged to quickly develop insights when time is of the essence, and to gain an understanding of how frequently contractual protections are included to address outages and service interruptions, we used Kira and its Built-in Intelligence to review and analyze 121 SaaS agreements publicly filed with the United States Securities and Exchange Commission’s EDGAR database.
Highlights of the results we found (and anonymized)—in just a matter of minutes—are below:
- Interestingly, only 18 of the 121 (15%) of the agreements included clauses regarding business continuity, like:
- Service Provider has an ongoing Business Continuity program that covers its primary locations as well as a Disaster Recovery program for restoring its data center operations.
- In the event of a disaster that impacts the ongoing operation of one or more of [Vendor]’s hosted applications (“the Application(s)”), this Disaster Recovery Plan (“the DR Plan”) defines the procedures that will be implemented to ensure complete and timely recovery.
- [Vendor] represents and warrants that its enterprise business continuity program complies with ISO 22301 standards. [Vendor] shall also comply with the business continuity requirements set forth in the Vendor Agreement between the Parties dated September 12, 2013, as amended, incorporated herein by reference.
- An overwhelming majority (88%) of SaaS agreements included disclaimer of warranty clauses, such as:
- [Vendor] does not warrant the operation of the Software will be uninterrupted or error free.
- Notwithstanding the foregoing and in addition to any disclaimers set forth in this Agreement, the Company: (a) does not warrant that the Services will operate error free or without interruption or bugs; nor that the Services will meet the Customer's requirements or expectations; [W]e do not warrant that your use of the Services and the Client’s use of the Client Workspace will be uninterrupted or error-free.
- 38 of the 121 agreements (31%) included references to the term “outage”:
- No period of SaaS Service degradation or inoperability will be included in calculating Availability to the extent that such downtime or degradation is due to any of the following ("Exceptions") . . . Failure, interruption, outage, or other problem with any software, hardware, system, network, facility or other matter not supplied by Service Provider pursuant to the SaaS Agreement or this Schedule.
- If [Vendor] determines that a timely reported outage was attributable to [Vendor], then [Vendor] will credit Customer 1-day of Service fees for every 2 hours of downtime Customer experienced, up to a maximum of half of that month’s Service fees.
- To be eligible, the credit request must be received by us within 30 days of the occurrence of the incident and must include . . . your request logs or screenshots that document the errors and corroborate your claimed outage.
By leveraging technology, organizations and their outside counsels can ensure that vendor contracts are not only thoroughly reviewed for risk exposure but are also aligned with best practices and the organization's risk appetite. This proactive approach can save invaluable time and provide peace of mind that your contractual safeguards are in place and effective.
As we navigate an era where third-party dependencies are integral to our operations, it's essential to be proactive rather than reactive. An outage like the one experienced by CrowdStrike is more than an inconvenience—it's a wake-up call to reinforce our legal and operational defenses.
In conclusion, in-house counsels should consider the following action points:
- Prioritize a risk assessment of your key vendor contracts if you haven't done so recently.
- Ensure that your contracts contain provisions addressing business continuity plans, outages, and similar incidents that appropriately reflect your organization's needs and the current risk landscape.
- Work closely with your outside counsel to understand the implications of your findings and to adjust your strategies accordingly.
The roles of in-house and general counsels are more critical than ever in safeguarding the interests of your organization, whether as a customer or as a provider of services. Litera is here to support as you undertake the necessary steps to ensure that your vendor contracts are a strategic asset in maintaining business continuity and resilience.
Sincerely,
Your friends at Litera
To learn more about Kira’s unparalleled accuracy in reviews for contract reviews, outside counsel guidelines, and beyond, read our blog The Importance of Accuracy in Legal AI Technology.
