Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Major mistakes do not often go unpunished. But there may be exceptions to the “one strike and you are out” rule. US cyber security group CrowdStrike was responsible for one of the world’s biggest ever IT outages on July 19. Yet it reckons the impact on this year’s revenues will only be about $100mn at the midpoint of the range it provided — just a 2.5 per cent cut compared to previous guidance.
Investors are not convinced. CrowdStrike’s market value is down by nearly $20bn since the outage, well over 10 times what the lost sales would be worth on the current multiple of 15.7 times. In part, that may be down to the perception of legal risk, notably from Delta Air Lines, which said the outage cost it $500mn. CrowdStrike, for its part, says customer agreements contain provisions that limit its liabilities, and it maintains insurance policies to mitigate the impact.
For all that, the threat of lawsuits does not seem to be the only dynamic at play. While CrowdStrike languishes, shares of rivals Palo Alto Networks and SentinelOne are up 10-20 per cent, suggesting that the market believes their competitive position has been structurally strengthened relative to CrowdStrike. That looks overly pessimistic.
CrowdStrike’s existing customer base should prove to be pretty sticky. Ripping out cyber security modules and replacing them is hard work. A subset of affected clients may ask for discounts, extensions and other perks, but that too would be relatively small beer. Ellie Bagshaw from Arete Research estimates the impact from existing customers’ bartering at $77mn over the next 12 months.
The bigger question is whether the snafu might harm CrowdStrike’s ability to secure new customers. But its core selling point — the ability to detect and prevent cyber risks — remains untarnished. Its product is widely considered to be among the market leaders. Plus its efforts to “platformise”, or sell multiple services to its customers, are bearing fruit, with almost half of customers spending over $100,000 running eight or more of its modules.
Most importantly, CrowdStrike’s crisis communications has been received positively in the cyber security community, thinks Shaul Eyal of TD Cowen. That the company has managed to retain some sort of reputation for competence is no mean feat after single-handedly crashing millions of the world’s computers.
That is not to say that CrowdStrike is home free. The outage may well delay contractual negotiations — and be used as leverage by new and existing customers to gain better terms.
But the lesson from CrowdStrike’s debacle may turn out to be that, on occasion, even a pretty cataclysmic error doesn’t cause companies to strike out.