The CrowdStrike outage highlighted two things: the consequences that can unfold when technology issues arise and the inherent risks of over dependence on technology.
It also acts as a stark reminder of the potential severity of the consequences that an outage or other technology failure could have on our lives, for example, if logistics, transport, critical infrastructure and key hospital facilities are unavailable or compromised. What happened with CrowdStrike presents an opportunity for proptech companies, property owners and developers, and the customers and users of proptech solutions to reflect and learn how to better protect themselves both legally and operationally.
One key takeaway from the CrowdStrike outage is the importance of due diligence and conducting a thorough stocktake of your ICT environment. Understanding the ICT environment and recognising which technologies are critical to operations and customer interactions is important. This involves identifying the type of technologies in use, their function, the vendor(s) and the contracts governing these technologies, including maintenance agreements and warranties. Stocktakes and due diligence activities should also:
- Consider and assess the risks and potential disruptions that might occur in the event of a technology outage or other failure, such as whether someone could get trapped in an elevator if the technology was unavailable due to an outage or failure.
- Determine if there are other technologies or manual processes that can quickly be used to restore and maintain operations if primary systems fail.
These activities can help to identify potential technology dependencies and vulnerabilities, allowing businesses to better prepare for unforeseen failures.
The CrowdStrike incident also highlighted the importance of maintaining business continuity and having appropriate continuity and contingency measures and plans in place. Businesses should conduct regular “fire drill” type tests to assess the responsiveness of their backup plans. This proactive approach can help to ensure that when technology fails, the measures and plans in place to mitigate the impact actually work. For those procuring proptech solutions, it’s best practice to impose contractual requirements on vendors to have their own business continuity and contingency measures and plans in place, too. Regular reviews, testing and updates of these measures and plans are essential to ensure that they remain up-to-date and effective over time.
With the CrowdStrike outage reportedly resulting from a configuration update triggering a “logic error” and a system crash, the importance of testing and validating technology updates and new releases is clear. Contracts should impose conditions on the provision and installation of software updates and new releases, and define who is responsible for technology maintenance activities, updates and new releases, especially when third parties are involved. Vendors should be accountable for ensuring that updates are thoroughly tested to prevent introducing bugs or defects that could compromise the system or cause outages. These measures are necessary to maintain the integrity and reliability of technology systems.
It’s also important to include performance accountability and incentivisation measures in contracts, for example, service levels. Service levels should be clearly defined and formulated to drive performance and prompt and timely responses to ICT incidents and problems.
Liability and accountability for outages and technology failures should be properly addressed in contracts. In particular, when developing and negotiating contracts for proptech (and broader ICT) solutions, customers and users of those solutions should always factor in the potential impacts of technology outages or failures to ensure that their businesses and operations (and those of their clients and customers) are not unduly exposed to any risks or adverse consequences from such outages or failures.
Lastly, property owners and developers using or relying on technologies should seek appropriate expertise, including technical, insurance and legal advice. It’s important that all potential risks are understood and mitigated, particularly given the severity of consequences that could occur in the event of an outage or failure.
The “blue screen” issue that unfolded with CrowdStrike came out of the blue, but it offers valuable lessons for proptech businesses and other technology dependent industries. The event serves as an important reminder of the need for comprehensive preparation and robust contingency planning and contractual agreements to mitigate the risks of technology issues. As technology continues to evolve and integrate further into business operations, these lessons are more relevant than ever.
Andrew Steele, real estate partner, Clayton Utz; Monique Azzopardi, special counsel, Clayton Utz
You are not authorised to post comments.
Comments will undergo moderation before they get published.