⚙️

CrowdStrike Security Incident

19/07/2024 430 days ago Resolved

Incident Overview

Situation Description

Publicly traded companies are facing SEC reporting implications due to server outages caused by a defective CrowdStrike software update on July 19, 2024.

Event Types

Faulty Update / Patch Technical Failure / Outage

Industry Sector

Technology

Geographic Scope

Global

Response Actions

Conducted Employee Training Revised Incident Response Plan Hardened Attack Surface Enhanced Third-Party & Supply Chain Risk Management

Impact Analysis

Event Types (2 identified)

Faulty Update / Patch Technical Failure / Outage

Financial Impact

$0 USD

Records Affected

Primary Impacts

Operational Disruption Reputational Damage Legal/Regulatory Penalties

Key Decisions Made

Ensure compliance with applicable policies and perform assessments to determine if the impact from the CrowdStrike update is material and requires reporting.; Perform risk assessments and gap analyses to identify shortcomings in systems and related practices.; Update risk factors and other disclosures, including those related to systems downtime and reliance on third parties.

Technical Analysis

Attack Method

Software Bug (Non-Vulnerability)

Vulnerability / Tool

CrowdStrike Software Update

Additional Information

News SEC Reporting Implications for Publicly Traded Companies Impacted by CrowdStrike Defective SoftwareUpdate Cooley alert July 22, 2024 There are a number of US Securities and Exchange Commission (SEC) reporting implications arising from the server-related outages caused by CrowdStrikes defective software update on July 19, 2024, and their impacts on public companies, particularly in light of the SECs new cybersecurity disclosure rules. While the situation on the ground as well as answers to these questions is still very much evolving, public companies impacted by the CrowdStrike update should consider doing the following: Ensure compliance with applicable policies and perform assessments to determine whether any impact from the CrowdStrike update is material, and whether any reporting is necessary or advisable. Perform risk assessments and gap analyses to determine whether there are any shortcomings in systems and systems-related matters, including use of third parties and relevant oversight, monitoring, disaster recovery, and other practices. Update risk factors and other disclosures, including regarding systems downtime and/or reliance on third parties to operate critical business systems. Determine if the CrowdStrike update has had or is expected to have a material impact on the company, then consider if it should be discussed in the managements discussion and analysis (MD&A) section of SEC filings, including as a known trend for future periods. Be mindful of Regulation FD when communicating with analysts and investors regarding the impact of the CrowdStrike update on the company. Evaluate whether the CrowdStrike update has implications for the companys internal controls and disclosure controls and procedures. Form 8-K and implications of CrowdStrike update An immediate question in the context of real-time reporting on current reports on Form 8-K is whether the CrowdStrike-related server outages and other impacts on information and information systems of...

... (truncated for display)

Quick Facts

Company:: CrowdStrike
Date:: 19/07/2024
Status:: Resolved
Decision Maker:: nan
Position:: nan
Published:: 22/07/2024

Source Information

Original Query

examples of company Form 8-K filings for "material cybersecurity incidents" since 2024 SEC rule

View Original Source

Timeline

Information Published

22/07/2024

Incident Occurred

19/07/2024 (430 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats