While many Americans were sleeping last night, information-technology (IT) systems were going down all around the world, including the IT systems for major airlines and banks. Experts are reportedly calling it the "largest IT outage in history." And stock-market darling CrowdStrike Holdings (CRWD -0.34%) is right at the center of the crisis.
CrowdStrike operates a cloud-based cybersecurity software platform. Being cloud-based, an update can come out at any time. The company did release an update which had a "defect". And this defect caused Microsoft Windows operating systems to get stuck on a "blue screen of death," unable to function properly. Companies running on other operating systems weren't impacted.
Co-founder and CEO George Kurtz says that CrowdStrike already identified the problem and a fix was deployed. The recovery is consequently underway. For example, United Airlines says that it's already resuming flights.
CrowdStrike is one of the most popular stocks on the market. Earlier this month, shares were up more than 50% in 2024. But as of 10:20 a.m. on Friday morning, shares were down 9%. Investors rightly want to know what to expect next. And there's truly a lot to unpack here.
Is this an overreaction?
Investors often overreact to news in the short term, losing long-term perspective. However, with CrowdStrike and its peers, a single headline can actually point out a problem with long-term consequences. It's hard for a physical-product business to change overnight but things can quickly change for a cloud-based software business such as this.
Therefore, I believe the market is behaving rationally today with CrowdStrike stock, given what investors know so far.
In the risk section of its financial filings, CrowdStrike says, "Because our cloud native security platform is complex, it may contain defects or errors that are not detected until after deployment." This is exactly what happened last night.
What does CrowdStrike's management say the risk is if a defect goes out? It says that this, "Could harm our reputation and adversely affect our business, financial position and results of operations." That's as materially consequential as it comes.
The good news for CrowdStrike's investors is that this wasn't a cybersecurity-related problem. Kurtz quickly pointed this out by saying, "This is not a security incident or cyberattack." The bad news is that its software defect still shut down major sectors of the global economy for long enough to cause real problems.
What's next for CrowdStrike stock now?
Shareholders may be tempted to breathe a sigh of relief now that things are getting back up and running. And on one hand, it's encouraging how quickly CrowdStrike was able to implement a fix. But it's too soon to leave today's news in the rearview mirror.
For starters, airline travel was greatly impacted this morning and it will take time for the airlines to get everyone to where they need to go. Thousands of travelers had to change their plans and the cost to the airlines is real and substantial. There's zero chance these companies will willingly foot the bill. They'll be looking for CrowdStrike to make restitution.
It will take time to know how much this mistake could wind up costing CrowdStrike. Moreover, it will likely take even longer to know the impact of potential reputational damage. Yes, this is a massive cybersecurity company with nearly $3.3 billion in trailing-12-month revenue. But it's hardly the only show in town. And smaller competitors such as SentinelOne would love to capitalize on CrowdStrike's mistake.
CrowdStrike's potential reputational damage will be a hard thing for investors to objectively evaluate from here. But one potential approach could be to monitor the company's remaining performance obligations (RPO). Its RPO stood at $4.7 billion as of Apr. 30.
CrowdStrike's RPO represents future revenue under contract related to its customers' subscriptions. The company points out that customers normally can't cancel once they sign on the dotted line. However, they can cancel if they have cause. And it's possible that many of its customers could say they have just cause to cancel after today's incident.
If the growth rate for CrowdStrike's RPO slows or if it outright drops, that might signal that there's damage that could set it back, at least for a time.
Even after dropping 9% this morning, CrowdStrike stock still trades at an expensive valuation of about 24 times its trailing sales. This lofty valuation assumes many years of robust growth ahead -- growth it's delivered on up until now. But if this event results in slowing growth for the company, then I would fully expect the stock to drop more and bring down the valuation to more appropriate levels.
On the flip side, if CrowdStrike's maintains its current growth trajectory despite today's incident, that would suggest this business is even stronger than investors give it credit for. And if it improves its systems and processes to prevent a mistake of this caliber from ever happening again, it might wind up being in an even strong competitive position for the long term.
