CrowdStrike at the heart of a global IT outage

Through cascading effects, a bug in CrowdStrike's software crippled many systems around the globe. The short-term picture is not pretty, but there are reasons to be cautiously optimistic.

Bottom line

The key impact is reputational damage. The resulting uncertainty means valuation multiples will also take a hit. However, past the short-term impact, a recovery is likely, as the company's leading technology makes it an inescapable player in a dynamic industry. The impact on our portfolio will be noticeable in the short term, as CrowdStrike is our biggest position in Cybersecurity, but will be partially mitigated by competitors taking advantage of the situation.

What happened

On Friday, July 19, companies around the globe started to report a series of crashes of their Microsoft Windows systems. Computers entered a "boot loop", meaning it was impossible to restart them properly, therefore impacting businesses relying on them and leading to large outages in industries as varied as banks and airlines. The bug was traced to a faulty update to CrowdStrike's software, installed on these machines to detect potential threats in IT systems. A fix for the problem was deployed around noon, but may take time to deploy due to the need to first fix the "boot loop", which may require manual intervention on a large number of systems from customers' IT teams. In the meantime, outages may persist for an indefinite period of time.

Impact on our Investment Case

How could this happen?

The chances for this unprecedented situation to happen were extremely low. Available information suggests a string of failures originating from CrowdStrike's software. The software is installed on computers to detect potential threats and allow IT administrators to counter them. As with every piece of software, it must be periodically updated, which usually does not create any problems. However, this time, for yet undetermined reasons, a faulty update passed quality control checks and was deployed to a large number of machines, triggering critical failures in Windows systems and leading to a crash, the infamous "Blue Screen of Death".

The problem was compounded by the sensitive nature of CrowdStrike's software. By design, operating systems are well-siloed to avoid this type of situation. However, due to being a security software, CrowdStrike must be able to access every part of the system, especially the most critical ones, to check against potential threats: nothing would be worse than an attacker sitting undetected at the core of your computer, controlling every part of it without you being even able to notice it. In this regard, security systems are an unavoidable single point of failure.

Is there a precedent?

This outage can already be qualified as the largest in history, which is paradoxically a testimony to CrowdStrike's competitive positioning. Disruptions emerged across the globe and took down systems of all kinds. Airlines and airports were affected in the middle of summer vacations, stranding passengers. Financial institutions were impacted, including insurances and stock exchanges. 

Smaller outages already happened. In 2017, a bug at Amazon's AWS temporarily took down many major websites built on its technology, notably including ESPN, SoundCloud and Slack. More recently, in 2021, an issue at Fastly took down a substantial portion of the internet, including the New York Times, Reddit and the U.K. government. The same year, another issue at AWS took down Robinhood as well as popular streaming services. 

In such cases, operational processes relying on cloud services or websites were impacted, but core IT systems remained operational, limiting damages. Still, this shows that the global economy can be extraordinarily fragile, as ecosystems are getting increasingly interconnected, allowing for powerful chain reactions capable of wreaking havoc in apparently unrelated systems.

What impact on the business?

The biggest damage is reputational: the company had an excellent track record, which has been shattered in less than 24 hours and will take time to repair. This will require perfect transparency, both for investigating the origin of the problem and for preventing it from happening again. QA processes, notably, will need to be overhauled to see if the issue is systemic or if this incident was simply unfortunate and bound to happen, considering the sheer amount of updates made in the software segment.

Regarding business impact, we are partly in uncharted territories due to the magnitude of the outage. Technically, the problem comes from the OS crash, not directly from CrowdStrike, although the company immediately acknowledged its responsibility. At the present time, we do not know if the company can be liable for damages caused to its customers' daily business operations. What is certain, however, is that it will impact its short-term business. Some customers will probably start to look elsewhere, which will favor competitors such as SentinelOne (also in our Cybersecurity exposure). Others will probably ask for discounts when comes the time to renew contracts.

Over the longer term, the company is somewhat lucky. The issue did not originate from a hack, which means it retains some credibility: mistakes can happen, especially in complex software environments, and all that matters is rapidly providing a solution, which appears to be the case. In any case, the quality of the protection remains unchallenged: CrowdStrike did not become a market leader by chance, and its competitive edge did not vanish with this outage. Therefore, notwithstanding potential legal procedures which are not easy to foresee, we tend to think that the company should recover most of its standing.

Our Takeaway

This unprecedented outage will have a heavy impact in the short term. Trust in the company will need to be rebuilt, and customers are likely to pressure the company for compensation, weighing on the stock. Competitors such as SentinelOne may benefit, which will help offset the impact on our portfolio. All in all, uncertainty will rise, which will lead to a compression of valuation multiples, especially as the company was trading at a premium. Over the longer term, the company's technological edge remains intact, as its systems have not been breached. As such, CrowdStrike remains a major conviction, and we do not see at the present time any reason to turn upside down our investment case. 

Companies mentioned in this article

Amazon (AMZN); CrowdStrike (CRWD); Fastly (FSLY); Microsoft (MSFT); Reddit (RDDT); Robinhood (HOOD); SentinelOne (S)

Explore:



Disclaimer

This report has been produced by the organizational unit responsible for investment research (Research unit) of atonra Partners and sent to you by the company sales representatives.

As an internationally active company, atonra Partners SA may be subject to a number of provisions in drawing up and distributing its investment research documents. These regulations include the Directives on the Independence of Financial Research issued by the Swiss Bankers Association. Although atonra Partners SA believes that the information provided in this document is based on reliable sources, it cannot assume responsibility for the quality, correctness, timeliness or completeness of the information contained in this report.

The information contained in these publications is exclusively intended for a client base consisting of professionals or qualified investors. It is sent to you by way of information and cannot be divulged to a third party without the prior consent of atonra Partners. While all reasonable effort has been made to ensure that the information contained is not untrue or misleading at the time of publication, no representation is made as to its accuracy or completeness and it should not be relied upon as such.

Past performance is not indicative or a guarantee of future results. Investment losses may occur, and investors could lose some or all of their investment. Any indices cited herein are provided only as examples of general market performance and no index is directly comparable to the past or future performance of the Certificate.

It should not be assumed that the Certificate will invest in any specific securities that comprise any index, nor should it be understood to mean that there is a correlation between the Certificate’s returns and any index returns.

Any material provided to you is intended only for discussion purposes and is not intended as an offer or solicitation with respect to the purchase or sale of any security and should not be relied upon by you in evaluating the merits of investing inany securities.


Contact