New York CNN —
The world learned relatively quickly that cybersecurity firm CrowdStrike was responsible for Friday’s global technology outage, but it may take longer to figure out who will pay for the damages.
The outage, described by one cybersecurity expert as “the largest IT outage in history,” grounded more than 5,000 commercial flights around the world and disrupted everything from retail sales to package deliveries to hospital procedures, losing revenue and staff time and productivity.
The issue was caused by some of CrowdStrike’s own faulty code in a “content update” for the software. Unfortunately, correcting a mistake takes much longer than making it, and it could be days before all systems are back to normal.
CrowdStrike has apologized but has not said whether it plans to compensate affected customers, and did not respond to a question from CNN asking whether it plans to do so.
Experts say claims for compensation and lawsuits are highly likely.
“If you’re a CrowdStrike lawyer, you’re probably not going to enjoy the rest of the summer,” said Dan Ives, a technology analyst at Wedbush Securities.
Experts largely agree that it’s too early to gauge the exact cost of Friday’s global internet outage, but the figure could easily exceed $1 billion, said Patrick Anderson, CEO of Anderson Economic Group, a Michigan research firm that specializes in estimating economic losses such as strikes and other business interruptions.
His firm estimates that a recent hack of US car dealership software company CDK Global cost it $1 billion, though the outage lasted about three weeks longer and was limited to one narrow industry.
“This outage is affecting a much larger number of consumers and businesses, ranging from inconvenience to severe disruption, and is incurring out-of-pocket costs that cannot easily be recouped,” he said. Anderson added that the costs could be especially high for airlines, due to lost revenue from canceled flights and excess labor and fuel costs for planes that flew but were significantly delayed.
Despite CrowdStrike’s dominance in the cybersecurity space, its annual revenue is just under $4 billion.
But one expert said CrowdStrike may be protected from liability in its contracts with customers.
“My guess is that the contract protects them,” said James Lewis, a research fellow at the Center for Strategic and International Studies.
Lewis pointed to a case that was decided Thursday in favor of another software company, SolarWinds. A judge dismissed Securities and Exchange Commission charges against SolarWinds related to the Russian hacking of federal agencies in late 2020. Lewis said that in that case SolarWinds was only accused of failing to disclose vulnerabilities in its systems to outside hackers, not of damages caused by its own actions. But it still won the dismissal.
It’s also unclear how many customers CrowdStrike will lose because of Friday.
Wedbush Securities’ Ives estimates that fewer than 5% of clients are likely to defect.
“They’re a very established player, so moving away from CrowdStrike would be a gamble,” he said.
Switching from CrowdStrike to a competitor would be difficult and costly for many customers, but the real blow to CrowdStrike could be a reputational hit that could make it harder to attract new customers.
“Today, CrowdStrike has become a household name, but not in a good way, and it will take time for it to settle in,” Ives said.
CrowdStrike CEO George Kurtz said in an interview with CNBC on Friday morning that the company is focused on resolving the ongoing issues and believes most customers have been understanding so far.
“My goal right now is to make sure all of our customers get back on track,” he said. “I think many of our customers understand that this is a complex environment and that these content updates are necessary to stay ahead of bad actors.”
But even if customers are receptive, CrowdStrike’s rivals are likely to use Friday’s events to try to poach them.
“This is a very competitive business. Salespeople from all the other companies are going to come in and say, ‘This has never happened to us before,'” said Eric O’Neill, a cybersecurity expert and former FBI counterintelligence officer. “They’re a great company doing important work. I hope they survive this crisis. If they don’t, the only winners are the cybercriminals.”
