That’s the question many are asking after a faulty software update from cybersecurity company CrowdStrike crashed millions of Windows-based devices last month, causing chaos for businesses, lost revenue and millions of dollars spent trying to fix the problem.

The answer is complicated because it depends on the fine print in the contracts companies sign with their software vendors. Companies also often take out insurance to cover disruptions, but policies vary in terms of what they pay out when outside technology providers are responsible for the disaster.

What is clear is that many employers who were harmed by the CrowdStrike outage are suddenly taking a much closer look at their contracts with software vendors to better understand who is liable in the event of technical outages.

Michael Mainiero, the chief digital and information officer at Catholic Health Long Island, says he now conducts quarterly status checks on vendor contracts after the CrowdStrike outage shut down much of the New York City hospital system. He also makes sure Catholic Health has an up-to-date point of contact for all of the company’s vendors so they know who to call if something goes wrong.

However, Mainiero does not plan to impose greater legal liability on vendors in the event of a system failure. He fears this would discourage vendors from updating their software remotely for fear that doing so could end in a technical disaster like CrowdStrike.

“If you make it difficult for a vendor to update something, you potentially weaken your cybersecurity posture and increase your risk exposure,” says Mainiero, adding, “My focus is on building strong collaborative relationships with vendors and having the ability to work seamlessly together during the crisis and get the system online quickly.”

Delta Air Lines, which had to cancel thousands of flights after CrowdStrike failed, has taken a far more aggressive stance. The airline announced it would seek $500 million from CrowdStrike for lost revenue and additional costs. CrowdStrike responded by saying that its contract with Delta limited its liability to less than $10 million.

Sean Scranton, cyber risk expert at insurance provider WTW, says a broad group of stakeholders, including the chief information security officer, legal department, risk managers and internal auditors, should work together to agree on liability provisions in contracts.

After an initial risk assessment, companies should consider ways to mitigate the potential pain points they have identified. This includes, for example, requiring additional approvals for software updates from vendors such as CrowdStrike. This human oversight would come at an additional cost to the customer. Companies using third-party software could also reduce their financial risk of collapse by purchasing insurance or accepting the risk and planning a detailed response if something goes wrong.

“Everyone is responsible for risk management and making sure we minimize the severity of incidents if they occur,” says Scranton.

The CrowdStrike fiasco shows that business customers may be putting too much trust in software vendors and that a healthier skepticism is in order, says Asha Palmer, senior vice president of compliance at software maker Skillsoft. Vendors should inform their customers of any upcoming changes to their products, including software updates and any problems that arose during the development process, she says, but customers also need to develop systems that protect them from faulty software.

“There is a mutual responsibility between the providers who serve you and you as the person being served,” says Palmer.

Steven Weisman, a partner at law firm McCarter & English, says traditional business interruption insurance would not cover an event like CrowdStrike. However, some policies that specifically cover cyber outages can reimburse clients for some of the lost revenue and additional expenses incurred due to errors by a third-party software vendor.

Corrie Hurm, head of claims at insurance broker Embroker, says most policies that cover business interruption require certain triggers for payouts: Was it a system failure? Or a cyberattack? Each event can come with different insurance coverage.

But often these insurance policies require companies like Delta to implement their own controls in case something goes wrong. Companies should also use a variety of software and hardware vendors, Hurm advises. That advice runs counter to the efforts of many IT leaders to reduce the number of vendors they work with.

“If you put everything on one card and then you have a failure like this, you have a big problem,” says Hurm.

John Kell

Send your thoughts or suggestions to CIO Intelligence here.

NEWS PACKAGES

Layoffs in the technology sector continue to be linked to restructuring in the AI ​​sector. For months, companies have been cutting jobs in the technology sector to invest more in artificial intelligence. That trend continued this week with the layoffs recently announced by General Motors and Cisco Systems. GM said it would cut around 1,000 software employees worldwide as it focuses on other “high priority” initiatives, including the use of AI and improving the automaker’s driver assistance system. Cisco, on the other hand, disclosed its second round of layoffs in 2024, this time laying off 7% of employees as it focuses more on AI and cybersecurity. In June, the networking equipment maker announced it planned to invest $1 billion in technology startups such as Cohere and Mistral.

AI regulation bill in California takes shape. In the absence of comprehensive federal regulation of AI, states are trying to restrict the new technology on their own. The latest legislative initiative currently being considered is in California, where a House committee approved a version of the bill This would require companies to test the safety of AI before making it public. The California Attorney General would also have the power to sue companies if their technologies cause serious harm. The bill has sparked heated debate in Silicon Valley about whether it would promote or harm AI innovation.

AMD wants to buy ZT Systems to strengthen its AI offensive. Chipmaker AMD, the sponsor of this newsletter, said Monday it will pay $4.9 billion in cash and stock to acquire server maker ZT Systems. AMD is looking to expand its portfolio of AI chips and hardware to better position itself to compete with market leader Nvidia. Adding ZT Systems’ engineers to AMD’s workforce will allow AMD to test AI graphics processing units (GPUs) faster and bring them to market at the scale required by cloud computing giants like Microsoft, Reuters Reports“It really helps us deliver our technology much faster because our customers are telling us that this is exactly what they need,” said AMD CEO Lisa Su. told The Financial Times.

ACCEPTANCE CURVE

The ROI of AI may take some time, but spending plans are increasing. A survey of 600 CIOs and senior IT decision makers found that companies expect to see a return on their AI investments in two years on average. However, almost a quarter expect the ROI to take four years or even longer, according to the survey by FTI Consulting on behalf of IT company UST.

Talent shortages, as well as concerns about privacy and algorithmic bias, remain among the biggest obstacles to greater adoption of AI technologies. However, the findings also show that spending on AI continues to rise. One in twenty IT leaders, all from companies with annual revenue of $500 million or more, now spend more than half of their technology budget on implementing AI. In three years, one in five expect this to be the case.

JOBS-RADAR

Attitude:

– Working America Is I am looking for a Chief Technology OfficerBased in the Washington-Baltimore area. Posted salary range: $160,000-$190,000/year.

– United States Institute of Peace Is looking for a CIObased in Washington. Posted salary range: $180,100-$191,900/year.

– Credit Karma Is looking for a CTObased in Oakland. Posted salary range: $375,000-$470,000/year.

Rented:

– Disney has called Adam Smith will be named Chief Product and Technology Officer for Disney Entertainment and ESPN, where he will be responsible for technology strategy, proprietary advertising technology and emerging technologies. Before Disney, Smith was most recently a Vice President at YouTube, working for the online video platform and Google for more than 20 years.

– Mattel announced Sai Koorapati will become Senior Vice President and CTO effective August 19, reporting to CFO Anthony DiSilvestro. Koorapati comes to the toy manufacturer from Topgolf Callaway Brands. At Mattel, he will oversee all technical innovations, including AI, connected product design, and online security and privacy.

– Stability AI announced the appointment of Hanno Basse as CTO, following his most recent role at visual effects and digital production company Digital Domain. Basse also previously served as CTO of Microsoft Azure Media and Entertainment and at 20th Century Fox Film Corp.

– Strengthen AI has called Dr. Jennifer Sample joins the IT services provider as CTO from Accenture Federal Services, where she was managing director and implemented the federal agency’s AI strategy.

– DUAL appointed Scott Noerr will join insurance broker Howden Group Holdings as CIO to implement technology for its underwriting division. Noerr previously served as CIO at National Interstate Insurance Company and held positions at Avery Dennison Label and Packaging Materials and Goodyear.

– Upstart 13 has called Mitch Comardo as CTO, joining the software company after previous leadership roles at OneCare, HigherEducation.com and PROS.