The fallout from the recent global IT outage

We caught up with insurance expert Peter Halprin FCIArb about cybersecurity disputes.  

In July 2024, the largest ever global IT outage crashed millions of Windows systems, disrupted critical servers, and halted business operations across the world. It was caused by the failure of two separate technologies: CrowdStrike’s Falcon sensor platform and parts of Microsoft’s Azure cloud infrastructure.

“Mega incidents like this help to highlight the enormity of the potential consequences of cybersecurity issues,” explains Peter Halprin, a New York-based insurance lawyer who specialises in cybersecurity disputes. While tremendous damage was done during the outage, there was a silver lining: it didn’t last very long. However, the same can’t be said for the repercussions. “While we don't yet know how extensive the fallout will be, some estimates are in the low billions.”

There are lots of lessons to be learned from the outage, Peter notes. “Many companies automatically accepted the update that CrowdStrike put out into the market,” he explains. “In the future, these updates will be tested more extensively before they go out into the market. It’s likely we will see more and more companies remove auto-update features, and carefully scrutinise each update as it comes across. The outage highlights that because we are so interconnected, it's easy for something seemingly small or innocuous to escalate into a global problem.”

Then, he notes, there was a second wave of activity. While there was no criminal intent in the CrowdStrike outage, cyber criminals are always primed and ready to act when there’s an incident. “They’re one step ahead of everyone else: it's very hard to maintain the right level of vigilance against this persistent threat. In the wake of the CrowdStrike outage, there have been numerous reports of fake websites or phishing emails selling a ‘CrowdStrike fix’. All someone has to do is click on it and the criminals get access into your systems, which could allow them to do something potentially devastating to the business.”

Like any other corporate risk, companies are trying to protect themselves from cyber issues. Peter notes that cyber risk keeps General Counsels up at night, as they try to figure out how to protect the company. He explains: “On the insurance side, assuming something goes wrong, they want to know if they have bottom line protection so that the company can stay solvent and recover from these cyber incidents.”

Peter believes it’s likely we will see more instances where outages or cyber-attacks have a devastating, widespread effect because companies are increasingly interconnected. “We're going to see a lot more disputes that focus on cybersecurity.”

There are lots of different areas in which cyber risk will lead to more and more disputes. For example, in the US, “we have more and more class action cases where plaintiffs whose data was compromised are suing the company,” he says. And, every year, more US states are introducing privacy regulations to address data breaches, including with respect to biometric data.

Peter predicts that: “Arbitrators will see more disputes involving cybersecurity and they  will also need to work to raise protection levels to avoid becoming the victims of further cybercrime or cyber breaches,” he explains.

“Cybersecurity is a hot topic at arbitral institutions and also within universities as well,” he notes. Peter is an adjunct professor at the Benjamin N. Cardozo School of Law, focusing on international arbitration, and is frequently called upon to lecture or write about international arbitration topics. Given the frequency of insurance disputes ending up in arbitration, he is particularly interested in the concepts of repeat appointments, bias, disclosure, and questions of applicable law.

He was first attracted to international arbitration in his third year in law school when he took an international arbitration class and participated in the Vis Moot. After that, he was hooked. “The idea that there was an international means of resolving disputes that brought together all these different cultures and legal traditions to forge a path forward was intriguing,” he explained.  

His first role was at a firm that specialised in insurance, and he asked to work on every international arbitration dispute that came through the door. From there, he completed a postgraduate distance learning diploma at Queen Mary University of London. “Then I took the award exam which got me into Ciarb in the first place and then from there I started teaching international arbitration. Now I act both as counsel in arbitrations and as an arbitrator.”

In addition to the complexity and ever-changing nature of cybersecurity, Peter loves the intellectual rigour required to deal with complex issues around insurance disputes. “The main area of focus for me is insurance and always has been. It touches on all areas of business and industry and on all areas of risk, so no day is ever the same as the last one. The issues and players are different so, from an intellectual perspective, it's fascinating. I represent the insureds as counsel in these disputes, and I like my vantage point. I’m genuinely helping the party that was hurt in the transaction.”

Peter Halprin FCIArb is a partner in the insurance recovery practice group in Haynes Boone’s New York office. He is a Chambers USA-ranked attorney and is well-known for his work on issues such as business interruption, cybersecurity, and wrongful death suits. Peter acts as counsel for US and foreign companies in domestic and international arbitrations, including both ad hoc at ARIAS, Bermuda Form, London as well as institutions American Arbitration Association (AAA), International Chamber of Commerce (ICC), International Centre for Dispute Resolution (ICDR), JAMS, and London Court of International Arbitration (LCIA). He has served as both party-appointed and sole arbitrator and is a Member of the AAA National Roster of Arbitrators, the Asian Institute of Alternative Dispute Resolution (AIADR)'s Presidential Panel of Arbitrators, the ARIAS Asia Panel of Arbitrators, the CPR Institute's Distinguished Panels of Neutrals (including the Insurance-Policyholder Coverage Panel), and the Singapore International Arbitration Centre (SIAC)'s Reserve Panel of Arbitrators.

 

Read more: Arbitration in life science and pharmaceutical disputes