A flawed CrowdStrike update on the evening of 19 July led to the crashing – or the “blue screen of death” – of 8.5 million Windows computers for a number of Australian and global organisations.
While this outage is not unprecedented – incidents have occurred with major cloud service providers like AWS and Azure in the past – market experts argue that the cause and scope of CrowdStrike’s outage are especially concerning because it stemmed from a significant oversight in their update process.
“Unlike best practices, CrowdStrike did not perform an isolated rollout, leading to a widespread impact,” Global X wrote in a recent market outlook.
The company, which has seen its price plummet by more than 30 per cent in the last five days, has since issued an apology, emphasising that the outage was caused by a defect found in a recent update for Windows hosts, as opposed to a cyber attack.
In a conversation with InvestorDaily, AMP’s chief economist, Shane Oliver, said the company’s “huge” reputational damage is reflected in its share price nosediving.
“It’s quite clear that they’ll suffer in terms of their market share and as a result of the reputational hit. And that’s why some of their competitors have seen their share prices go up, not dramatically, but nevertheless, go up,” Oliver said.
“It will have some lasting impact, a lot of businesses will be looking for ways to make sure that it won’t happen again … which obviously injects cost in the system, but also has the effect of heading off future debacles like this.”
Regarding a potential recovery for CrowdStrike’s price, Oliver noted that it’s too early to say whether the stock has bottomed out.
“The legal ramification will unfold over many weeks and months … I suspect there could be more downsides. There’s the potential loss of market share that CrowdStrike will suffer,” he said.
“Its share price more than doubled over the last 12 months, so it already had question marks around its valuation. Even before a problem like this, it’s still vulnerable to a large fall.”
Just last month, Morningstar said that, as the most expensive software business in the world, with a higher enterprise value over the next 12 months than any other company, CrowdStrike “doesn’t have any room for error”.
As such, Oliver said the company’s price could still see further losses before it finally bottoms out.
“Obviously, we’ll lose some market share to its competitors, so business will be somewhat smaller for a while. And then there’s the potential for redress against it, which will cost money as well,” he said.
“At some point, bargain hunters will come in and say, ‘Well, the worst is over’, but I think at this point, that’s just a guessing game.”
However, in the broader context of the cyber security sector, Oliver noted that the CrowdStrike outage has “supercharged” the already growing attention on integrated supply chains, a concern that gained prominence during the pandemic.
In particular, he said that governments and businesses might be sceptical about the extent that these systems are integrated.
“This is unfortunate in the sense that it was about a business trying to keep businesses safe, and then it had the effect of what might have occurred with a hack. So in that sense, it’s ironic, but it will put a lot of pressure on businesses to make sure that they’re not as vulnerable going forward,” Oliver said.
“It increases scepticism about globally integrated supply chains. I think it just adds to the pressure to reduce that degree of integration.”
Separately, Betashares investment strategist Hugh Lam has highlighted that the incident shows the interconnectedness of global network infrastructure and the disruptive impact that any malfunction can have on different industries.
“While this was a global systems failure rather than a cyber attack, bad actors may take advantage of this event to capitalise on any weaknesses in IT capabilities across enterprises,” Lam noted in a recent market commentary.
“Cyber security has been top of mind for executives for some time, with IT resilience likely to remain a high priority concern for businesses when it comes to their operations.”
According to the investment strategist, it’s likely that CrowdStrike, despite its leadership position in end-point security, will see some volatility in the coming weeks as the fallout becomes clearer.
In particular, Lam said there are already numerous calls for compensation and legal cases that may emerge and weigh on sentiment across the sector.
While there are some who may well take advantage of this situation, he believes investors should not just bet on one horse.
“Investors should take a diversified approach and avoid concentrated bets on specific cyber security names,” Lam said.
“Overall, the CrowdStrike outage is a timely reminder about the importance of resilient IT systems to the global economy. We expect this to provide a tailwind to the cyber security sector over the decades to come, as businesses and individuals spend more to keep themselves safe online.”