CrowdStrike: the ultimate tech disruptor? It was for at least a couple of days last week, when the cybersecurity firm released an update that subsequently bricked computers across numerous industries, including medical record systems, and canceled hundreds if not thousands of flights.
In all, the economic costs could tally into the tens or hundreds of billions of dollars, as companies across the spectrum calculate and report financial losses tied to CrowdStrike’s outage. That ranges from airlines needing to cancel flights and hospitals rebooking surgeries to car washes losing revenue after they were unable to process credit card payments. Some businesses may be able to recoup some of that through insurance claims—hundreds of thousands of which are likely to be filed soon.
But there is an outstanding question: How much is this going to cost CrowdStrike? The answer isn’t immediately clear, but it won’t be cheap.
It’s already costing investors. The incident took a significant bite out of CrowdStrike’s stock price, which was trading at almost $338 per share last Thursday. On Friday, shares fell to $294 per share, and as of Tuesday morning, are trading at around $264. That’s a decline of roughly 22%, and since the beginning of the month, its market cap has declined by one-third. It could fall further, too.
Beyond getting slapped around in the market, CrowdStrike could be looking at fines and penalties from government regulators. Given that CrowdStrike’s outage could have, on some level, involved breaches or issues related to personal data, it could come under the crosshairs of European regulators, which can impose fines of up to 4% of annual revenues on companies that violate General Data Protection Regulation rules.
“Nobody disputes that huge amounts of personal data have been affected in the CrowdStrike incident, and the questions that will be asked in the coming months will focus on what harm was caused to the individuals in question and who—if anyone—will be liable,” Jon Baines, senior data protection specialist at London-based law firm Mishcon de Reya, recently told Fast Company.
In the U.S., CrowdStrike is also likely to see an avalanche of class action lawsuits. Law firms, such as San Francisco-based Lieff Cabraser Heimann & Bernstein, are already investigating and collecting information from clients related to business losses that “will help us hold Crowdstrike accountable for its disruption of global business and the consequences thereof for all internet users.”
Further, CrowdStrike could see customers leave for competing firms. Again, it’s hard to assess how many customers it could lose at this point since many are on contracts and may find it difficult to immediately cut ties. But some analysts say that 5% or so of its customer base could filter away, and CrowdStrike will also need to contend with a loss of potential new clients, which may or may not have been aware of CrowdStrike before the outage—but most definitely are now.
As a cherry on top, CrowdStrike will also be on the hook for refunds for customers who suffered business losses or disruptions, too.
Add it all up, and the outage has already cost CrowdStrike and its investors billions, including the hits it has taken on the stock market—some or all of which could be recouped over time. But with litigation and numerous lawsuits waiting in the wings, it’s probably looking at billions more in fines, legal fees, and lost revenue. It’s hard to put an exact dollar figure on what this all will cost the firm—and we likely won’t know for certain until the dust settles in several years.