Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
CrowdStrike, the cyber security company behind the botched update that took down millions of Windows PCs and servers in July, has more than recovered the $30bn in market value it shed in the wake of the crisis.
The company’s shares, which plunged by more than a third in the two weeks after the incident, are now worth more than they were on the day before what US House Homeland Security Committee chair Mark Green called the “largest IT outage in history”.
CrowdStrike chief executive George Kurtz told the Financial Times the company had bounced back by turning the crisis into “a competitive advantage”.
He said the incident — which stranded airline passengers, interrupted hospital appointments and took broadcasters off air around the globe — had not dented customers’ trust.
“Customers are staying with us,” Kurtz said in an interview after the company’s latest earnings report. “We had one customer say that broken bones heal stronger and they don’t expect this to reoccur. Conversely, from a competitor standpoint, that hasn’t gone through something like this, there’s probably more risk.”
The Texas-based company had a reputation for being many major companies’ first line of defence against cyber attacks. The high-profile nature of these customers exacerbated the scale of the disruption when a routine update to CrowdStrike’s flagship Falcon security software triggered a “blue screen of death” error on 8.5mn Windows devices on July 19.
But although insurers have estimated that total losses from the outages could run into billions of dollars, CrowdStrike has only marginally pared back its guidance for the fourth quarter and reported a 97 per cent customer retention rate in the three months to September.
The company also beat analysts’ earnings expectations for the quarter, reporting $1bn in revenues for the three months to September, up 29 per cent from the same period in 2023.
Some content could not load. Check your internet connection or browser settings.
Analysts have credited CrowdStrike’s recovery to its handling of the outage. Despite initial criticism of Kurtz’s first statement, which did not include an immediate apology, communications from CrowdStrike were, on the whole, “a masterclass in terms of owning up to the incident”, according to Fatima Boolani, an analyst at Citi.
But not all customers are satisfied. Delta Air Lines, which cancelled thousands of flights due to the outages, is seeking damages from CrowdStrike after estimating that the impact has cost more than $500mn.
In a lawsuit filed in October in Georgia, the Atlanta-based carrier said CrowdStrike had caused a “global catastrophe” because it “cut corners, took shortcuts and circumvented the very testing and certification processes it advertised, for its own benefit and profit”.
CrowdStrike’s lawyers denied responsibility for the scale of Delta’s disruption and argued that the security company’s liability is capped “in the single-digit millions” by its contracts. CrowdStrike said Delta’s claims were “based on disproven misinformation” and demonstrated “a lack of understanding of how modern cyber security works”.
Beyond Delta, Bernstein analyst Peter Weed said CrowdStrike did not appear to be at risk of losing most of its larger customers, in part because of the “stickiness” of its product.
“The more that you have implemented CrowdStrike, the harder it is to remove,” said Weed. He noted, however, that the fourth quarter, when more contracts are up for renewal, could be the next big test.
The company had also been able to use outages as an opportunity to become “a bit more aggressive in the marketplace”, including by promoting additional products to existing customers through free trials, said Boolani.
CrowdStrike said in August it would spend $60mn on incentives to appease clients. The perks — which the company branded “customer commitment packages” — included free subscription extensions and add-on features, and helped drive more customers to switch to the flexible pricing model that the company launched in 2023.
The total value of “Falcon Flex” contracts — which are intended to promote wider use of the company’s more than 20 different service “modules” — nearly doubled to $1.3bn in the three months to September.
This flexible subscription programme is key to CrowdStrike’s growth ambitions. “If you want more growth then you have to find other things to sell to your existing customers,” said Weed.
Going forward, CrowdStrike may also benefit from the perception that Microsoft’s operating system was as much, if not even more, responsible for the outage’s impact, according to Forrester analyst Allie Mellen. Microsoft declined to comment.
The incident has heightened scrutiny from regulators and business leaders over the extent of access that third-party software vendors have to the core, or kernel, of Microsoft’s Windows operating systems. Bugs in the kernel, such as CrowdStrike’s faulty update, can quickly crash an entire system.
Apple, which was not hit by the outages, blocks all third-party providers from accessing the kernel of its MacOS operating system, forcing them to operate in the more limited “user-mode”.
“If anything, the migration that results from this incident might be away from Microsoft, not CrowdStrike,” Mellen said.
