close
close

The cost of a global outage could exceed $1 billion – but it is harder to understand who will foot the bill

Posted on by darion


New York
CNN

The world learned relatively quickly that cybersecurity firm CrowdStrike was behind Friday’s crippling global technology outage. But figuring out who will foot the bill for the damages could take much longer.

The “worst IT outage in history,” one cybersecurity expert said, led to the cancellation of more than 5,000 commercial airline flights worldwide and disrupted businesses from retail to package deliveries and hospital procedures, affecting revenue, staff time and productivity.

The problem was caused by several pieces of bad CrowdStrike code in a software “content update.” Unfortunately, fixing the bug took much longer than it took to cause it, and it could take days for all systems to return to normal.

In a social media post late Sunday, CrowdStrike said a “significant number” of the roughly 8.5 million devices affected were back online and operational. It again apologized for the disruption.

While CrowdStrike apologized, it did not mention whether it plans to provide compensation to affected customers. And when CNN asked if it plans to provide compensation, the response did not address that question.

Experts say to expect wage demands and, very likely, lawsuits.

“If you’re a lawyer working at CrowdStrike, you probably won’t enjoy the rest of your summer,” said Dan Ives, a technology analyst at Wedbush Securities.

Experts largely agree that it’s too early to put an exact price tag on Friday’s global internet outage. But the costs could easily top $1 billion, said Patrick Anderson, CEO of Anderson Economic Group, a Michigan-based research firm that specializes in estimating the economic costs of events like strikes and other business disruptions.

His firm estimates that the recent hack of CDK Global, a software company that services U.S. car dealerships, was worth $1 billion. Although that outage lasted much longer, about three weeks, it was confined to one narrow industry.

“This outage is affecting many more consumers and businesses in ways that range from inconvenience to major disruption and result in out-of-pocket costs that they cannot easily recover,” he said. Anderson added that the costs could be particularly significant for airlines, due to lost revenue from canceled flights and excessive labor and fuel costs for planes that flew but had significant delays.

A passenger takes a nap in the terminal at Harry Reid International Airport on Friday, July 19, 2024, after a faulty CrowdStrike update caused a major internet outage on Microsoft Windows computers.

Even though CrowdStrike dominates the cybersecurity market, its revenue is just under $4 billion per year.

However, one expert said there may be legal provisions in customer contracts that protect CrowdStrike from liability.

“I assume these agreements protect them,” said James Lewis, a researcher at the Center for Strategic and International Studies.

Lewis pointed to a case decided Thursday in favor of SolarWinds, another software company. A judge dismissed Securities and Exchange Commission charges against SolarWinds related to the Russian hack of federal government agencies in late 2020. Lewis said SolarWinds was charged in that case only for failing to disclose vulnerabilities in its system to an outside hacker, not for damages caused by its own actions. Still, it won the dismissal.

Businesses affected by the outage will likely learn that traditional business interruption insurance won’t cover any losses, said Mark Friedlander, a spokesman for the Insurance Information Institute. Those policies typically require that there be some sort of physical damage to a company’s property before claims can be paid. There’s a separate type of computer outage policy, known as business network interruption policies, that can pay claims. But those policies sometimes cover only malicious hacking attacks and exclude non-malicious computer problems like this one, he said.

It is also unclear how many customers CrowdStrike might lose because of Friday.

Ives of Wedbush Securities estimates that fewer than 5% of his clients are likely to change firms.

“They are such an established player that it would be risky for them to move away from CrowdStrike,” he said.

For many customers, switching from CrowdStrike to the competition will be difficult, and not without additional costs. But the real blow to CrowdStrike could be the damage to its reputation, which will make it harder to acquire new customers.

“CrowdStrike is becoming a household name today, but not in a good way. It will take some time for that brand to stabilize,” Ives said.

CrowdStrike CEO George Kurtz told CNBC in an interview Friday morning that the company is focused on solving immediate problems and that so far he thinks most customers have been understanding.

“My goal now is to make sure every customer is back up and running,” he said. “I think a lot of customers understand that this is a complex environment and staying ahead of the bad guys requires these content updates.”

But even if customers prove to be forgiving, there is a chance that CrowdStrike’s rivals will look to capitalize on Friday’s events to attract them.

“It’s a very competitive industry. You’ll have salespeople from all these other companies … (jumping in) and saying, ‘This has never happened to us,’” said Eric O’Neill, a cybersecurity expert and former FBI counterintelligence agent. “They’re an excellent company doing important work. I hope they survive this. If they don’t, the only winner will be the cybercriminals.”