It was a tumultuous July in terms of cybersecurity news, and we’re just getting our heads around it all. Lawsuits are percolating related to the global CrowdStrike IT disruption. And just as IBM informs us of the global average cost of a data breach, which is certainly not getting smaller over time, we have some refreshing news about cybersecurity.
It is the topic that brings partisans together; three pending bills in Congress were each authored by pairs or trios of lawmakers on different sides of the aisle.
Let’s dig in.
CrowdStrike faces class action suit
CrowdStrike is facing a class action lawsuit from investors following the global IT outage that disrupted millions of Microsoft Windows systems.
The Plymouth County Retirement Association alleges CrowdStrike maintained deficient controls and did not adequately test its software, despite repeated statements touting the efficacy of the Falcon platform, according to its complaint filed Tuesday in the US District Court for the Western District of Texas. The retirement association is filing the lawsuit on behalf of all shareholders who owned CrowdStrike stock between November 29, 2023, and July 29, 2024.
The class action lawsuit alleges that defendants made false and/or misleading statements and/or failed to disclose that:
- CrowdStrike had instituted deficient controls in its procedure for updating Falcon and was not properly testing updates to Falcon before rolling them out to customers;
- This inadequate software testing created a substantial risk that an update to Falcon could cause major outages for a significant number of CrowdStrike’s customers; and
- Such outages could pose, and in fact ultimately created, substantial reputational harm and legal risk to CrowdStrike.
The investors’ claims revolve around the share price of the company dropping sharply as a result of the outage.
After the news broke that a flawed Falcon content update caused major worldwide technology outages for millions of devices running Microsoft Windows, the price of CrowdStrike stock fell more than 11%, according to the complaint.
Then on July 22, Congress called on CrowdStrike CEO George Kurtz – who was named as a defendant in this action – to testify regarding the crisis and CrowdStrike’s stock rating was downgraded by analysts such as Guggenheim and BTIG. This made the price of CrowdStrike stock fall more than 13%, the plaintiffs allege.
The lawsuit faults CrowdStrike for failing to disclose the “deficient controls” it was using to test the company’s software updates before rolling them out to customers.
Finally, on July 29, news outlets reported that Delta Air Lines had hired prominent attorney David Boies to seek damages from CrowdStrike following the software outage, according to the complaint. On this news, the price of CrowdStrike stock fell nearly 10%, the class action lawsuit alleges.
CrowdStrike is said to have “repeatedly touted the efficacy of the Falcon platform while assuring investors that CrowdStrike’s technology was ‘validated, tested, and certified.’ The Complaint alleges that these statements were false and misleading.” The lawsuit faults CrowdStrike for failing to disclose the “deficient controls” it was using to test its software updates before rolling them out to customers. The ensuing outage also led to “substantial reputational harm and legal risk to CrowdStrike,” which has since been reflected in the company’s declining stock price.
“As a result of these materially false and misleading statements and omissions, CrowdStrike stock traded at artificially high prices,” the legal complaint says. “As of May 30, 2024, there were approximately 231 million shares of CrowdStrike Class A common stock outstanding, owned by thousands of investors,” the lawsuit notes.
As Delta Air Lines considers legal action against CrowdStrike and Microsoft, the airline says the outage will cost it about $500m, thanks to thousands of its flights having to be canceled.
IBM’s Annual Cost of a Data Breach Report
IBM’s annual report on how much data breaches are costing us is designed to help risk and security leaders make better decisions, including their security investments.
The report significantly emphasizes the risk of shadow data – which is data residing in unmanaged data sources – and the extent and costs of business disruption brought about by data breaches.
The report’s research was conducted independently by Ponemon Institute and used data gleaned from 604 organizations affected by data breaches between March 2023 and February 2024, involving companies across 17 industries and in 16 countries.
A few highlights from the report include:
- The global average cost of a data breach increased 10% over the previous year, reaching $4.88m, the biggest jump since the pandemic. Business disruption and post-breach customer support and remediation drove this cost spike. When asked how they’re dealing with these costs, more than half of organizations said they are passing them on to customers, which can be problematic in a competitive market already facing pricing pressures from inflation.
- On the defender side of the equation, researchers also found applying security AI and automation is paying off, lowering breach costs in some instances by an average of $2.2m. AI and automation solutions are reducing the lifespan needed to identify and contain a breach and its resulting damage. Put another way, defenders without AI and automation to assist them can expect to take longer to detect and contain a breach, and see costs rise compared to those who use these solutions.
- This year’s study found more than half of breached organizations faced severe security staffing shortages, a skills gap that increased by double digits from the previous year. The race to adopt gen AI across nearly every function in the organization is expected to bring unprecedented risk and put more pressure on these security teams.
- 35% of breaches involved shadow data, showing the proliferation of data is making it harder to track and safeguard. Shadow data theft correlated to 16% greater cost of a breach, with the trend of storing data across environments proving to not only be a common one, but also one correlating to a 16% greater cost of breaches.
Bipartisan cybersecurity legislation in Congress
Cybersecurity legislation aimed at unscrambling regulations, strengthening protections in the US healthcare system and protecting the federal workforce sailed through a key Senate committee this week, moving the bipartisan bills to further consideration before the full chamber.
The Senate Homeland Security and Governmental Affairs Committee voted first on the Streamlining Federal Cybersecurity Regulations Act, a bill co-sponsored by committee chair Gary Peters (D-MI) and Senator James Lankford (R-OK), that seeks to streamline the country’s patchwork of federal cyber rules.
The bill would harmonize federal cyber requirements for the private sector, seeking to get around the patchwork of federal agency rules that industry participants have complained are often conflicting.
A committee made up of the national cyber director, the chief of the Office of Management and Budget’s Office of Information and Regulatory Affairs, the heads of each federal regulatory agency and other government leaders as determined by the chair would be charged with identifying cyber regulations deemed “overly burdensome, inconsistent, or contradictory” and recommending updates accordingly.
Another bill, the Healthcare Cybersecurity Act, was authored by Senators Jacky Rosen (D-NV.), Todd Young (R-IN), and Angus King (I-ME) and is a product of the February ransomware attack on the payment processor Change Healthcare. It calls on the Cybersecurity and Infrastructure Security Agency (CISA) to collaborate with the Department of Health and Human Services (HHS) on cyber defenses, providing resources to non-federal entities so they have the tools they need to protect themselves as a critical infrastructure sector.
The bill would also designate a CISA liaison to HHS for the purposes of coordination during cybersecurity events, supporting health care and public health organizations.
The final cyber-focused bill heading to the full Senate is the Federal Cyber Workforce Training Act, which tasks the national cyber director with coming up with a plan to create a centralized resource and training center for federal cybersecurity workforce development. The bill’s authors, Mike Rounds (R-SD) and Jon Ossoff (D-GA), “would make it easier for federal government employers to prepare newly hired, early-career personnel for federal cyber positions,” as noted in a press release announcing the bill.
“It would also support new skills for federal workers moving jobs mid-career. The program would leverage the private sector, specifically academia, to develop and deliver cyber training.”
SIX Swiss Exchange hits a glitch
Switzerland’s stock market operator halted equity trading for over four hours Wednesday after a technical snag that made it impossible to distribute pricing data.
It was the exchange’s longest outage ever and the second to hit it in little more than a year.
The halt began at 10am Zurich time and trading resumed at 2:30pm, SIX Swiss Exchange said. The exchange hadn’t been able to disseminate market pricing data since about 9:10am, a spokesperson said. Trading on Wednesday wasn’t initially affected by the glitch, but SIX was required to halt trading due to regulations regarding the equal treatment of market participants, the spokesperson added.
Data for the Spanish stock market, which is owned by SIX, was also affected for several hours, although trading continued there.
The interruption is another reputational hit to SIX; last year, the market was hit by its worst outage in more than a decade, with dealing in equities and derivative instruments halted for three hours.