Delta vs. CrowdStrike: Lessons in limiting liability and supply chain resilience

In July 2024, Delta Air Lines experienced severe disruptions when a faulty software update from CrowdStrike caused the cancellation of over 6,000 flights, affecting 500,000 passengers and resulting in $500 million in losses. Delta has blamed CrowdStrike for its losses and has decided to pursue legal action.

CrowdStrike however, has limited its liability to $1 million which Delta’s losses far exceed, and attributes Delta’s delayed recovery and the extent of the damage to issues within their infrastructure, citing design and operational resilience shortcomings as contributing factors.

This global incident is a cautionary tale on the importance of being legally and operationally prepared for supply chain risks.

How can you protect your business from risk?

So, what can you do to safeguard your business if there is a disaster or outage event with a supplier which significantly impacts your operations?

Here are some key legal and practical steps to consider:

• Due diligence and audits: In an ideal world, you'd conduct extensive due diligence on suppliers and ensure they have robust systems and cyber security protocols. However, if you're a smaller business dealing with large tech suppliers, you may not have the resources or leverage for comprehensive audits. Instead, focus on what you can realistically achieve: research the supplier's reputation, ask for their security certifications, and if possible, speak with other clients. While you might not be able to dictate terms to major suppliers, you can still prioritise those with better operational track records.
• Robust contracts: If you have limited negotiating power with large suppliers, it's still crucial to understand your contracts. Pay close attention to service levels, liability provisions, and remedies for service disruptions. Even if you can't negotiate significantly better terms, being aware of potential risks helps you plan accordingly. Our commercial contracts lawyers can help you identify key areas of concern in supplier-favourable contracts, enabling you to make informed decisions about which risks you're willing to accept and which terms you can negotiate to protect your business in the long run.  
• Insurance cover: Given the challenges in fully controlling supplier behaviour or negotiating ideal contract terms, comprehensive insurance coverage becomes particularly important. Consider investing in insurance that covers third-party supplier failures and operational disruptions. This can be a cost-effective way to mitigate risks when you don't have the leverage to demand stringent terms from suppliers. Ensure your business continuity plan incorporates how to respond to and recover from supplier failures, with insurance playing a key role in this strategy.

What are the key takeaways?

No business is immune to disruptions, making robust preparedness and planning critical. The global CrowdStrike incident underscores the importance of readiness to minimise damage. By taking proactive practical and legal steps, you will be better equipped to protect yourself from risk.

Our commercial and data protection legal experts can support your business to mitigate potential risks by providing comprehensive legal guidance tailored to your specific needs, ensuring you are well-prepared to handle supplier failures, supplier service disruptions, and managing risk in supply chain contracts.