When a vendor’s tech glitch takes down a business, whether for just a few hours or several days, who should pay?
It’s a question many are asking after a faulty software update from cybersecurity company CrowdStrike last month crashed millions of Windows-based devices, leading to corporate chaos, lost sales, and millions of dollars spent trying to fix the problem.
The answer, it turns out, is complicated, hinging on the fine print in the contracts that businesses sign with their software vendors. Companies also frequently buy insurance to cover any disruptions, although the policies vary in paying out when third-party tech providers are responsible for the disaster.
What is clear is that many employers, burned by the CrowdStrike outage, are suddenly paying a lot closer attention to their software vendor contracts to better understand who’s liable when tech fails.
Michael Mainiero, the chief digital and information officer at Catholic Health Long Island, says he’s now performing quarterly status checks on vendor contracts after a big part of the New York-based hospital system was taken down by the CrowdStrike outage. He’s also ensuring Catholic Health has an updated point of contact for all of the company’s vendors to know who to call if and when things go south.
But Mainiero has no plans to require vendors to agree to larger legal liability in the event of a system breakdown. He fears it would create a disincentive for vendors to remotely update their software for fear that it, like CrowdStrike’s, could end in a tech disaster.
“If you’re making it onerous for a vendor to update something, you could weaken your cybersecurity posture and increase your risk exposure,” Mainiero says, adding, “My focus is to build strong collaborative relationships with the vendors, and during the crisis, have the ability to work together seamlessly and bring the system online quickly.”
Delta Air Lines, which had to cancel thousands of fights following CrowdStrike’s outage, has taken a far more aggressive stand. It has said that it would seek $500 million from CrowdStrike for lost revenue and extra costs. In response, CrowdStrike said its contract with Delta limits its liability to less than $10 million.
Sean Scranton, a cyber risk expert at insurance provider WTW, says a broad group of stakeholders, including the chief information security officer, legal department, risk managers, and internal auditors, should work together to agree on liability language in contracts.
After an initial risk assessment, companies should consider ways to reduce the potential trouble spots they identify, including requiring extra approvals for software updates from vendors like CrowdStrike. That human oversight would be an extra expense for the customer. Companies using third-party software could also reduce their financial risk of a meltdown by taking out insurance or by accepting the risk and planning a detailed response for when things go wrong.
“Everyone is responsible for managing risks and making sure that if incidents do occur, we keep the severity low,” says Scranton.
The CrowdStrike fiasco shows that business customers may have been too trusting of software vendors and that healthier skepticism may be needed, says Asha Palmer, senior vice president of compliance at software maker Skillsoft. Vendors should tell customers about any upcoming tweaks to their products, including software updates and any hiccups they encountered in the development process, she says, but customers must also create systems that protect themselves against faulty software.
“There is a mutual accountability between the vendors that service you and you being the person who is being serviced,” says Palmer.
Steven Weisman, a partner at law firm McCarter & English, says traditional business disruption insurance wouldn’t cover a CrowdStrike-type event. But some policies that specifically cover cyber failures may reimburse customers for some of the lost revenue and extra expenses caused by a third-party software provider’s mistakes.
Corrie Hurm, head of claims at insurance broker Embroker, says most insurance that covers business interruptions requires certain triggers for payouts: Was it a system outage? Or a cyber attack? Each event can come with varying degrees of insurance coverage.
But often, those insurance policies require companies like Delta to implement their own checks and balances for when things go awry. Businesses should also use a diversity of software and hardware vendors, Hurm says, advice that’s contrary to the push by many IT leaders to reduce the number of vendors they work with.
“If you’re putting all your eggs in one basket and there’s an outage like this one, you have a major problem,” says Hurm.
John Kell
Send thoughts or suggestions to CIO Intelligence here.
NEWS PACKETS
Tech layoffs continue to be pegged to AI reshuffling. For months, companies have been cutting tech jobs so they can invest more in artificial intelligence. The trend continued this week with recent job layoffs announced by General Motors and Cisco Systems. GM said it would cut around 1,000 software workers globally as it focuses on more “high-priority” initiatives, including the use of AI and improving the auto company’s driver assistance system. Cisco, meanwhile, disclosed its second round of layoffs in 2024, this time cutting 7% of employees as it focuses more on AI and cybersecurity. In June, the networking equipment maker said it intended to invest $1 billion in tech startups like Cohere and Mistral.
California AI regulation bill takes shape. In the absence of comprehensive federal regulation on AI, states are moving forward with their own efforts to restrict the emerging technology. The latest legislation under consideration is in California, where a state assembly committee endorsed a version of the bill that would require companies to test the safety of AI before releasing it publicly. California’s attorney general would also be empowered to sue companies if their technologies cause serious harm. The bill has led to fierce debate in Silicon Valley over whether it would help or harm AI innovation.
AMD to buy ZT Systems in greater AI push. Chipmaker AMD, the sponsor of this newsletter, on Monday said it planned to pay $4.9 billion in cash and stock to acquire server maker ZT Systems, as AMD aims to expand its portfolio of AI chips and hardware to better position itself to compete with market leader Nvidia. Adding ZT Systems’ engineers to the AMD workforce will allow AMD to more quickly test and roll out AI graphics processing units, known as GPUs, at the scale that cloud computing giants like Microsoft require, Reuters reports. “It really helps us deploy our technology much faster because this is what our customers are telling us [they need],” AMD CEO Lisa Su told the Financial Times.
ADOPTION CURVE
AI’s ROI may take time, but spending plans are on the rise. A survey of 600 CIOs and senior IT decision-makers found that organizations expect to see a return on their AI investments in two years, on average. However, almost a quarter expect the ROI will take four years or even longer, according to the survey by FTI Consulting on behalf of IT firm UST.
A scarcity of talent and concerns about data privacy and algorithmic bias continue to be among the top hurdles preventing greater adoption of AI technologies. But the findings also show that AI spending is still rising. One in 20 IT leaders, all representing companies with annual revenue of $500 million or more, are now spending over half of their tech budgets on AI implementation. In three years, 1 in 5 predict they will be doing so.
JOBS RADAR
Hiring:
- Working America is seeking a chief technology officer, based in the Washington-Baltimore region. Posted salary range: $160K-$190K/year.
- United States Institute of Peace is seeking a CIO, based in Washington. Posted salary range: $180.1K-$191.9K/year.
- Credit Karma is seeking a CTO, based in Oakland. Posted salary range: $375K-$470K/year.
Hired:
- Disney has named Adam Smith as chief product and technology officer for Disney Entertainment and ESPN, where he will be responsible for driving technology strategy, proprietary advertising tech, and emerging technologies. Prior to Disney, Smith most recently served as VP at YouTube and worked at the online video platform and Google for more than 20 years.
- Mattel announced Sai Koorapati as senior vice president and CTO, effective August 19, and reporting to CFO Anthony DiSilvestro. Koorapati joins the toy maker from Topgolf Callaway Brands. At Mattel, he will oversee all tech innovation, including AI, connected product design, and online security and privacy.
- Stability AI announced the appointment of Hanno Basse as CTO, after most recently serving in the same title at visual effects and digital production company Digital Domain. Basse also previously served as CTO of Microsoft Azure Media and Entertainment and at 20th Century Fox Film Corp.
- Empower AI has named Dr. Jennifer Sample as CTO, joining the federal agency IT services provider from Accenture Federal Services, where she was managing director and executed their AI strategy.
- DUAL appointed Scott Noerr as CIO to implement technology for the underwriting arm of insurance broker Howden Group Holdings. Noerr previously worked as CIO at National Interstate Insurance Company and held roles at Avery Dennison Label and Packaging Materials and Goodyear.
- Upstart 13 has named Mitch Comardo as CTO, joining the software firm after prior leadership positions at OneCare, HigherEducation.com, and PROS.
