The Crowdstrike update resulting in the worlds’ largest IT outage to date has generated many comments, but the impact creates not just a number of questions about the company, but also several lessons across multiple sectors; some more obvious than others.
The very first question for Crowdstrike is how did their enforcement of SDLC fail so badly when it is such a fundamental IT general control. How did that code move from the development to production environment without sufficient testing? A follow-on, less obvious question is whether Crowdstrike utilises offshore, or hybrid software developers; either offshore-owned, or as contractors. This is a cost-efficient mode of development utilised by most large entities
The next major one, is whether the company is certain that this was not a cyber-related failure arising from AI hallucination & the use by developers of LLM’s for their daily code work. This is more common than one might think & controls on offshore developers is notoriously difficult, but cost reductions are driven by ownership structures (in this case it is a listed entity & thus needs to generate dividends).
In terms of lessons, which cyber re/insurer/CRQ company’s models have been the closest in terms of predictive accuracy as to financial losses? How to embody such incidents within T&C’s for everybody’s clarity when such impacts from AIH may be classed cyber-related losses?
Another major lesson falls to how to manage vendor risks, given it was caused primarily by MS365/Teams cloud-based applications impacted by a third-party cloud security vendor?
Thales 2022 report highlights that due to a lack of specialist cloud security resources globally, over 70% of entities rely upon either the cloud provider, or a third-party vendor for their cloud security. The limited number of vendors exacerbates the issue.
Finally, models need to account for such cascading impacts within IT outage models. Certain industries are well-versed in this, but risk carriers/CRQ vendors focus upon cloud outages, as opposed to non-cyber IT incidents. This may change as a result of the Crowdstrike event.
