Why CrowdStrike is likely shielded from billions in customer losses caused by its outage

Dow Jones07-27

MW Why CrowdStrike is likely shielded from billions in customer losses caused by its outage

By Therese Poletti

The outage is believed to have caused $5.4 billion in losses for big enterprises - but various factors help insulate the cybersecurity company

Despite having caused one of the largest global technology meltdowns ever, resulting in billions of dollars in losses for its customers, CrowdStrike Holdings Inc. itself should largely be shielded from direct financial impacts.

That's due in part to the software industry's licensing structure, through which standard software licenses limit the liability of the software developer, and because of insurance held both CrowdStrike $(CRWD)$ and its customers.

On Thursday afternoon, CrowdStrike Chief Executive George Kurtz shared on LinkedIn that over 97% of Windows sensors were back online - though only after customers incurred sizable losses in the form of lost business, downtime and operational delays. CrowdStrike said it will provide a further update on its upcoming earnings call.

"CrowdStrike's top priority continues to be on our customers and restoring every impacted system," a company spokesperson said in a statement.

On Wednesday, analytics and insurance provider Parametrix calculated the financial impact of last week's outage at $5.4 billion in losses for Fortune 500 companies, excluding Microsoft Corp. $(MSFT)$

The cybersecurity insurance policies of CrowdStrike's Fortune 500 customers will likely cover no more than 10% to 20% of those losses, Parametrix said in its report Wednesday. The estimated insured losses on cyber insurance policies ranges from $540 million to $1.08 billion.

"CrowdStrike cannot take the liability for all of the financial impact [and] all of their clients in an unlimited way, right? And it's impossible for companies to carry so much risk," said Parametrix co-founder and CEO Jonathan Hatzor told MarketWatch. "That's the reason that you have insurance that can diversify this exposure with other exposures and can really consume this risk."

Also read: Opinion: Lawsuits and fines cost wrongdoing companies big money - but look who gets stuck with the bill

Healthcare, banking and airlines were the industries viewed to be the most affected by the outage. Some businesses saw an extension of disruptions for days - including Delta Air Lines Inc. $(DAL)$, which was besieged by flight delays. Parametrix's estimates are for Fortune 500 companies only, and do not include other types of insurance policies such as property, liability and travel.

So far, Wall Street has been trying to gauge the potential financial impact on CrowdStrike, with several firms cutting their price targets, as they wait for more data from the company. CrowdStrike's shares have fallen about 25% since last Thursday's close, wiping out about $22 billion in market value. The outage ultimately affected 8.5 million PCs and devices running Microsoft's Windows.

Analysts see a nuanced picture for CrowdStrike, with some concerned about potential litigation and unknown costs. But in general, they expect CrowdStrike to be durable thanks to its leadership position in software that alerts of and prevents cyberattacks. Its software is not easily replaceable, although new customers could be put off by the debacle.

"CrowdStrike is probably one of the biggest, most dominant software companies out there" in the cybersecurity field, said Tracy Woo, an analyst who covers cloud computing at Forrester Research. "To exit that would be very difficult. I don't think there will be a mass exit, but I can see that the renewal rate could drop considerably. I think it depends on how deeply entrenched people are."

"Most customers are not likely to churn, which means they would want to continue to maintain their relationship with CrowdStrike," said Bernstein Research analyst Peter Weed in a note to clients. "Experts point out that suing CrowdStrike may not be their best path, and instead, they should push for discounts/credits upon renewal."

In response to a follow-up email, Weed said that it is not yet clear what CrowdStrike's potential exposure could be outside of insurance costs and legal fees. "Liability could be capped at the price paid," he said, adding that other experts he had spoken with said some lawsuits "could attempt to get around that for more damages."

He also noted that overlapping insurance policies are designed to attempt to cover exposure to such damages. "Also, the company may choose to offer 'make-it-right' discounts or credits on renewal (like Datadog (DDOG) did when they had an outage a year back)," Weed wrote. "We will have to hear their plans."

CrowdStrike said it has not yet scheduled its second-quarter earnings call, though FactSet estimates based on previous dates say the company could report its results around Aug. 27.

Even with the limited liability that analysts currently expect for CrowdStrike, class-action lawyers are circling around the company. Several law firms specializing in shareholder lawsuits issued statements that they were investigating the CrowdStrike outage, and advised investors to contact them.

Ann Koppuzha, a business-law lecturer at the Leavey School of Business at Santa Clara University, predicted there will be investigations from regulatory agencies, insurance companies and possibly from eventual shareholder lawsuits. While no lawsuits have yet been filed against the company, CEO George Kurtz has already been called to testify about the outage before the U.S. House Committee on Homeland Security.

There likely will be some impact to CrowdStrike's brand, too. Anshel Sag, an analyst at Moor Insights & Strategies, pointed out that antivirus maker McAfee's brand was "significantly tarnished" by a software update in 2010 that also forced Windows XP machines into a reboot loop. Just a few months later, McAfee was purchased by chip maker Intel Corp. $(INTC)$

But while CrowdStrike is expected to survive this global outage, it will probably be embarking on a long slog of dealing with insurance claims and potential litigation. The year ahead - and perhaps even beyond - will clearly be a long one for the cybersecurity company and its investors.

-Therese Poletti

This content was created by MarketWatch, which is operated by Dow Jones & Co. MarketWatch is published independently from Dow Jones Newswires and The Wall Street Journal.

(END) Dow Jones Newswires

July 26, 2024 17:05 ET (21:05 GMT)

Copyright (c) 2024 Dow Jones & Company, Inc.

Disclaimer: Investing carries risk. This is not financial advice. The above content should not be regarded as an offer, recommendation, or solicitation on acquiring or disposing of any financial products, any associated discussions, comments, or posts by author or other users should not be considered as such either. It is solely for general information purpose only, which does not consider your own investment objectives, financial situations or needs. TTM assumes no responsibility or warranty for the accuracy and completeness of the information, investors should do their own research and may seek professional advice before investing.

Comments

We need your insight to fill this gap
Leave a comment