The “Blue Screen of Death” Incident

On July 19, an update to the software “Falcon Sensor” distributed by CrowdStrike, a cloud-based cybersecurity company in the United States, conflicted with MS Windows, causing millions of Windows systems to experience a “Blue Screen of Death” error, a phenomenon where the entire screen fills with blue.

It delayed or canceled more than 5,000 flights, including major U.S. carrier American Airlines, disrupted operations at banks and stock exchanges, and even made weather forecasters draw maps by hand. Recovery is expected to cost more than $1 billion, and lawsuits are likely to follow, including from Delta Air Lines, which has already begun legal proceedings.

While experts believe that many lawsuits are likely to be filed to recover damages, there is also the possibility that Crowdstrike could be legally protected if it has indemnification clauses in its contracts with customers.

How has it impacted South Korea?

In South Korea, the number of companies using Crowdstrike is relatively small, so the damage has been limited, but some budget airlines have experienced errors in their ticket reservation and issuance systems, and a gaming company's servers have crashed, prompting emergency maintenance.

The incident has once again highlighted the importance of thorough testing and quality assurance of software updates in Korea, and pointed to the need to build contingency plans and rapid response mechanisms to minimize the impact of such large-scale failures.

Are you familiar with the EU's Cyber Resilience Act (CRA)?

In this regard, the European Union's CRA is also gaining attention.

The CRA is a regulatory legislation enacted by the European Union to protect consumers and businesses by strengthening the cybersecurity of products with digital elements, given the enormous impact of cybersecurity incidents.

Under the Act, digital products must comply with strict cybersecurity requirements, including being developed with security considerations from the design stage and providing regular security updates throughout the product's lifecycle. Manufacturers must also quickly identify and remediate vulnerabilities in their products and have a vulnerability management process in place to do so.

It requires organizations to report serious cybersecurity incidents to the EU Agency for Cybersecurity (ENISA) and national Computer Security Incident Response Team (CSIRT) within 24 hours. It was approved by the European Parliament on March 12, 2024, and will enter into force in the second half of the year.

[Legal Insights]

- Recognizing the Importance of the “Cyber Supply Chain”

This incident highlighted the potential risks that can occur within the cyber supply chain as part of normal business activities. It was even more shocking because it was not caused by cyberterrorism or hacking, but by updating a security program that was supplied.

Organizations should recognize the importance of identifying and managing the risks associated with complex cyber supply chains, and the need to establish risk assessment and management systems for the use of third-party software. It is also necessary to select trusted vendors and require them to adhere to strict quality control protocols in compliance with required industry standards and regulations, as well as to diversify the supply chain to build  diverse technology ecosystems to minimize the impact of a single point of failure (SPOF).

- Establishing 'Business Continuity Plans' and Enhancing 'Cyber Resilience'

A business continuity plan (BCP) should be in place to minimize losses and maintain customer confidence by preventing disruption of key business functions in the event of an unexpected incident.

This requires continuous efforts to enhance cyber resilience through rapid response capabilities, and regular simulations and drills to check and improve preparedness.

- Preparing for Legal Disputes

Proactive response to complex legal disputes that arise from incidents is essential.

First, it is necessary to clearly define the responsibilities and obligations of the service provider and the customer by signing a service level agreement (SLA) in case of disputes. It is needed to specify sanctions and compensation methods for any violation, and to include provisions on disaster recovery, emergency response procedures, and mandatory pre-testing requirements for updating critical systems. It is also important to consider whether and how to include contractual indemnification clauses related to accidents.

Next, it is necessary to prepare in advance to minimize liability arising from incidents by checking whether there is any violation of regulatory obligations under relevant laws such as the current Product Liability Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, and the Personal Information Protection Act. Since the damage may cross borders, it is necessary to understand the international judicial process, including international litigation and the determination of governing law, and complex disputes involving various stakeholders may develop. Therefore, it is important to remember that timely and appropriate legal assistance is crucial. 

* * *

LIN’s TMT Team provides comprehensive one-stop legal services in the areas of privacy, fintech, blockchain, and other related fields.
Please note that the contents and opinions published in our newsletters are for general information purposes only and do not represent the official views or legal opinions of the firm.
If you have any inquiries about the above, please do not hesitate to contact our TMT Team (+82-2-3477-8695).