A CrowdStrike update caused problems and blue screens of death for mission-critical operations across the economy. What does it mean for the cybersecurity company and the access tech providers will have going forward?

Motley Fool analyst Tim Beyers and host Dylan Lewis discuss:

  • The details of the recent global IT outage and CrowdStrike's response.
  • CrowdStrike's unique root access and whether vendors will continue to be allowed such deep access to customers' Windows systems.
  • Whether CrowdStrike stock is worth buying on the sell-off, or if management has something to prove first.

Brian Haney, president and chief operating officer of Kinsale Capital, talks Motley Fool analyst Bill Mann through how retail investors can judge financial companies and why insurers have such a tough time in states like Florida.

To catch full episodes of all The Motley Fool's free podcasts, check out our podcast center. To get started investing, check out our quick-start guide to investing in stocks. A full transcript follows the video.

This video was recorded on July 22, 2024.

Dylan Lewis: You get a blue screen of death, and you get a blue screen of death. Motley Fool Money starts now. I'm Dylan Lewis, and I'm joined over the airways by Motley Fool analyst, Tim Beyers. Tim. Thanks for joining me.

Tim Beyers: Thanks, Dylan. That's rough, man. Nobody wants a blue screen of death. Nobody wants.

Dylan Lewis: Nobody does.

Tim Beyers: Nobody wants it. Lot of people got it.

Dylan Lewis: Yet blue screens of death everywhere over the last couple of days. That is going to be the theme of today's show. Catastrophes of every kind. We are checking in on the largest IT outage. We're also going to be getting a little bit of commentary on the insurance industry and how they handle catastrophes on today's show. Let's start with the unavoidable one here, Tim. The largest worldwide IT outage hit Friday went well into the weekend. Some airlines, and I think some other businesses still dealing with issues on Monday. We know that the issue was CrowdStrike. We knew that on Friday, still piecing information together, but we have a little bit of a better grip on things now. I think to kick us off, can you walk through what happened?

Tim Beyers: Unfortunately, this was a software update that was a bad update. If we're going to be blunt about it, that's what happened. CrowdStrike is in a boatload of devices around the world, but it only affected Windows devices. This is from the CrowdStrike technical blog. This was July 19 at about 4:09, and that is UTC. I think that was noontime, Eastern or something like that. I'm sorry, midnight. I'm not noontime. It was a what CrowdStrike calls a censor configuration update, and this was to Windows systems, and censored configurations are part of how CrowdStrike collects data for Falcon. It triggered what's called a logic error, and that ended up crashing Windows systems, and everybody got the blue screen of death here. This was a file, it was called Channel File 291, and it controls how the CrowdStrike Falcon security platform. Again, what CrowdStrike Falcon does, and its most basic, this endpoint protection device. On every device that is protected, there's a little bit of CrowdStrike software. This software, this file, this channel file is pushed to that software that exists in this case on a Windows device. That Falcon software evaluates things like certain threats. In this particular case, there was a threat that was after what's called named pipes and named pipe execution on Windows systems. They were looking at trying to update for malicious targeting of this particular part of the Windows system. It just went horribly wrong, Dylan. This logic error does appear to be. This is the way Tim White described it to me is that if it's a logic error, it probably overflowed some memory and caused the OS to just be unable to continue loading. In other words, in come some instructions and the OS said, that's too much. Hang on here. It just caused a blue screen of death doom loop that caused the OS to say, you've got to restart, and then you restart, and now you have the same problem. Nothing is happening here. You just have a continual loop of doom here until you remove that particular file. CrowdStrike has taken steps to show people how to get that file out and fix the problem. But, it's caused a huge amount of headaches here, Dylan.

Dylan Lewis: The dreaded blue screen of death did show up in a few places. Probably not a welcome sign for some of the weary airline travelers. It did show up in some critical systems like healthcare and banking in addition to airlines. You mentioned the CrowdStrike blog post. We did get some commentary on this from management at Microsoft. According to them, the update affected 8.5 million Windows devices, which sounds like a lot, but they estimate that that was less than 1% of Windows machines. As bad as this was, it actually could have been quite a bit worse.

Tim Beyers: For sure. But that's still a lot of machines. Those machines were working in critical operations for healthcare, airlines, transportation. The scale of the outage in terms of the systems that it impacted, so we could agree, maybe not as many machines as it could have been, but the machines it did hit were mission critical machines at really awful times and caused a huge amount of headache for a lot of people. That's a real problem here. I think we need to get at the issue, which is CrowdStrike as a security provider. What CrowdStrike ultimately sells, yes, it's software. But what CrowdStrike sells, ultimately, Dylan, is trust. You can trust us to watch out in the environment for all of the things that could harm your systems, harm your network, harm your devices. Trust us to do that. We are going to live at the root of your machines. In other words, in this case, the reason that CrowdStrike was so devastating is that it ties into with the machines that were affected the Windows Kernel. In other words, the very root of the machine. It gets access to the deepest parts of the machine, so when things go wrong, they go wrong with not just with the isolated part of the CrowdStrike software, and you just have to restart that software. You have to restart the whole machine because it's tied into the Kernel. It's tied into the root. It's like, as if you chop off a branch on a tree, I'm sure the tree is not going to like that very much, but it doesn't kill the tree. But if you are getting it at the roots, if you are injecting pesticides into the root, yeah, that's a problem and that's the analogy here.

Dylan Lewis: Given the scale of this issue and how public it was for a company that tends to operate in the background and deliver something that most users, consumers aren't even aware is happening, what did you think of how CrowdStrike and CEO George Kurtz handled this?

Tim Beyers: I think it was OK. I don't think it was exceptional. I think he has much more work to do. The one thing you cannot do in a situation like this is minimize. I don't think he was trying to minimize, but what he said was, essentially that, we responded to this really quickly. You know what? Eighty minutes worth of response, which is roughly where they were, technically that's reasonably fast. But for people that are still dealing with this, or were dealing with it, like, the airlines have still not caught up. Tell them you dealt with it fast. He did apologize. He did put it out on the CrowdStrike website, which is good. But I think we're only starting to see what CrowdStrike needs to do to make this right. I will argue that CrowdStrike, the initial response was, OK, I'm neither going to ding them too harshly nor give them too much credit, because I think we have only started to see what CrowdStrike has to do to heal some of these relationships. How many are going to do what Elon Musk did, this may be typical Musk bluster, or it may be real. I'm going to take him at his word. He said, we just uninstalled it everywhere. We just got rid of it. How many other companies are going to do that? I don't know, Dylan, but that is going to be an account-by-account process. That's real. That's going to be something that we're going to have to watch.

Dylan Lewis: I want to have you help me figure out where exactly we should be on the reaction meter for this, because I know you're someone who's followed the company for a while. There are a lot of listeners who own the stock, and have been following the business for a while. We see things like this blow up with companies sometimes, and it winds up being something that several months from now, the world has largely forgotten or moved on from aside from the people that are really in that industry. We also see some of these things manifest into really thesis-altering or long-term reputational risk issues for a business. Where do you see it on that spectrum, Tim?

Tim Beyers: I think there's a little bit of both. I feel bad because I want to tell you that this is a rich buying opportunity for CrowdStrike. I think it's too early to say that, Dylan. The overreaction here is that this is the end of CrowdStrike. I don't think that's true. I think these sorts of mistakes do happen, and the best thing you can do in a situation like this is do your best to repair it. Then you go above and beyond what the customer expects to try to repair this and regain trust. CrowdStrike can do that. I think it's worth it to give them some time to do that. On the other hand, I am not going to pretend that this is small, and it's the same as just your average hack, I don't think that's right. What was revealed here is that CrowdStrike has a very special place inside of devices, where if you compromise CrowdStrike, you may be compromising things that are much bigger and much deeper and fundamental to your business. It raises a big question, do I trust CrowdStrike with that much access? If not, then that will have a material impact on the business Dylan. That's the thing that I think is fundamental here. In the case of, for example, where this is fundamentally different from what we recently saw at Snowflake. Snowflake has had some recent attacks where things were breaches. This was not a breach. This was a mistake, but the net effect is there's some things that just have not gone right. In this case, a lot of systems went down. In the case of Snowflake, they did not teach their customers early on or enforce multi factor authentication, in other words, making your system a little bit more secure. Some bad people got in and took information that was valuable. They didn't do enough to protect themselves, and Snowflake didn't do enough to protect those customers. Now, is that a fundamental flaw? Does that speak to how fundamental Snowflake is, and should you trust them? I don't think those same questions are being asked about Snowflake as they are about CrowdStrike. I'm not willing to give up on CrowdStrike here, but I think you need to be honest and say, this is going to raise questions.

Dylan Lewis: The market is certainly raising some questions with shares of CrowdStrike. I think they're down over 20% since the incident was reported, I think about 15% on Friday, and then down, I think, again, double digits. Today, granted the company had been at all time highs prior to that. Knowing or taking your last answer there and into consideration, what would you want to see from CrowdStrike over the next couple of months, quarters to feel like this is a buying opportunity and this is a business that took a hit, but is still worth having money in?

Tim Beyers: Well, this is a company that is capable of generating quite a lot of cash and has had a pretty solid balance sheet. If that's true, if CrowdStrike does have a decent balance sheet, and it does have, the ability to generate a fair amount of cash flow, let's see it. How are you going to use that? Right now, I show on the balance sheet today, I'm just looking at the current assets. They have, $3.5 billion in cash and equivalents. How about taking 10% of that right now and saying, we're setting up a fund to support any remediation that has financial consequences for our customers because we care about making this right. Now, will the lawyers tell them to do that? No, they will not. Because once you do that and you start telling lawyers that there's money to be had, they'll go chasing it. But from the goodwill that you are trying to generate, I think that's a thing that I would like to see. It doesn't have to be that specifically, but some way to demonstrate that you're being proactive to set up some additional thing that didn't exist before where you recognize the damage that has been done, and you're going to do something about it at no cost to the customer to try to make this better.

I think another thing I'd like to see is, are there options that CrowdStrike could pursue to work with Windows machines differently than they do right now that might create a level of confidence that, yes, I can install CrowdStrike in my Windows environment and be OK, that, I'm not going to be subject to the same level of potential problem if something like this happens again? For example, I don't know that this is true to the same degree that I think it might be true, but one of the reasons the Apple machines, I think this is true here, the Apple machines were not affected is that Apple does not give you root access. Apple doesn't give you root access to its devices. Windows does. Now, what Microsoft has said in its own statement is that they are required to give root level access to some third party providers as a consequence of their dealings with the EU. Take that for what you will, but that doesn't prevent CrowdStrike from saying, you know what, we can make a better version.

Of the Windows software that we have, the Windows version of Falcon. Maybe we don't need to do root access. Maybe we can do this in a better way that makes customers feel safer, more confident. But things like that, Dylan, where we recognized this was a problem that had serious consequences for our customers. Here's what we're doing about it. Number two, hey, we are evaluating how we execute our software in a Windows environment to make this better, safer, more performant. We have new QA process, quality, and assurance processes that we are instituting. All of these things can help a customer say OK, I get that you take this seriously.

Dylan Lewis: From your lips to CrowdStrike management ears, I hope it happens, Tim. Thank you for joining me today.

Tim Beyers: Thanks, Dylan.

Dylan Lewis: Coming up. What's an insurance company supposed to do in a state that has the most exposure to natural catastrophes? Brian Haney is the president and COO of Kinsale Capital, a specialty insurance company. Haney joined Bill Mann on stage at Fool Fest 2024 last week. We're going to play some cuts of that conversation about how retail investors can judge financial companies and the trouble insurance providers have in Florida.

Bill Mann: One of the most common objections that we have from our investors is that they don't really understand financial companies, that it's a different type of investing, and insurance firms are definitely part of the financial industry. So I'm not sure what the proper way to describe it. It's not so much that it's not understandable, but I think it's difficult for investors to figure out what characteristics make for a really good financial company as compared to an unsuccessful one. Would you all agree that maybe that's true? Understanding a bank here's your money, I get my money back. That's not hard. It's what makes a good bank. What makes a good insurance company? Since from that clip, you were a $900 million market cap company and now you're a $9 billion market cap company. I figure you may know something about what it takes to be a good financial company or a good insurance company. What I thought I would do is just give a basic definition of insurance, which you can disagree with. It's fine. Then we can work our way up and we can talk about what makes for a good insurance company. The definition that I wrote down is that insurance is one party that is unable or unwilling to bear the loss of an event, entrusting that risk to the balance sheet of another party for a fee.

Brian Haney: That's fair.

Bill Mann: Sound that good?

Brian Haney: Yeah. Another way to look at it if we want to get Mafi would be, you think about the outcome of your house. Let's say you have a house in Florida. I'm guessing at least one person here does. The outcome of your house in Florida is binary. For the most part, it's like it's either there at the end of the season. Or it's not. That's a pretty wide distribution and the not part of that distribution is a very bad outcome that you would rather not have to deal with. But when you take a bunch of those independent random variables and add them together through the process called the law of large numbers, you start to get a very predictable curve. The insurance company is basically pooling all the risks to get a more predictable outcome and then distributing the cost to everybody else. It also serves a very valuable purpose, which is a price signal. The risk that you take by owning a house in Florida or by owning a house in wildfire-exposed parts of California in a properly functioning economy and market, you would bear the cost of that, and that's insurance helps you do that. The less exposed houses in Florida pay less than the more exposed. It serves a valuable social function. If you want to think of it this way, this is another way, and it's a socially valuable form of gambling. The way the gamble works is this, you are going to gamble your premium, and we are going to gamble our surplus. You put your premium in the middle of the pot and we put our surplus in the pot, and then we roll the dice and see what happens. Now, it's a hedge, so it really isn't speculation. But effectively, if you're the insurance company, you make money if you took in more premium than you paid out in losses and expenses. But there's a thing, and then Warren Buffett likes to talk about this called the float, which is the payout when we lose to you actually takes place over a number of years. We invest money while that process is unfolding. We get the underwriting profit or loss, and we also get the investing on the float.

Bill Mann: Basically, what if I can restate, you're taking somebody else's potential catastrophe and you're turning it into your ordinary course of business by virtue of you're having a balance sheet that's big enough to withstand their loss, the loss of a house?

Brian Haney: Yes. That's very fair.

Bill Mann: Let's talk about that balance sheet a little bit because it is the core of what a pooled product like an insurance scheme is. Is there anything differentiating between Kinsale's balance sheet and other insurance companies balance sheets?

Brian Haney: I would say yes. I'm going to have to back up and explain at a high level what property casualty company like ours balance sheet looks like. It's actually really simple. On the asset side, you have cash and invested assets. Because of certain regulatory requirements, most insurance companies have most of their assets in fixed income, and then some percentage would be in equities. But that's basically you're limited to a pretty vanilla portfolio. So cash invested assets, and then on the liability side, you have the reserves, which is the losses that you've incurred that you're going to have to pay out, but you haven't paid out yet. That's really it. There's not much differentiating. We own the same bonds and stocks and we have our own strategy and Markel has their own strategy, and every company has their own strategy. There's not that much differentiation. You look at like the yields, portfolios are not that much different. There is significant variability in the believability of that loss reserve number because that loss reserve number is an estimate. You don't know that number. Some companies are very good at putting a number up that is more likely to turn into a lower number than turn into a higher number. That's a process called reserve development. If your loss reserves come down over time, that's favorable development, which means you're showing income, you've basically delayed income. You've delayed gratification. The opposite of that is adverse development where you have to admit past sins. Remember all that money we said we made last year? Well, we made a little less, and we had to shrew it up. I would say, if you're an investor, the one thing I would pay attention to in your shoes would be, does the management team have a track record of having believable reserves that have the tendency to develop downward over time.

Bill Mann: You would prefer to see, I guess, logically, this makes sense, you would much rather see a beneficial adjustment than an adverse one?

Brian Haney: Yes, because the costs.

Bill Mann: See its not that hard. Hard things are bad, Brian. Thank you very much.

Brian Haney: Well, it's like we all have this loss aversion bias going on where bad things are happening. You view worse than good things you view well. If you're a company and you have adverse development, a bunch of bad things happen. One is, investors start to not believe you and so your stock price will plummet. Regulators start to scrutinize a little bit more because they start not believing your numbers, and then you actually get hit in the capital formulation. Your actual historical reserve development forms part of your capital charge. If you have a track record of adverse development, you are going to have to have more money because they just don't believe your numbers.

Bill Mann: One thing that I know that a lot of people are very sensitive to throughout the insurance industry is exactly what you're talking about, the cost element. When you see a state like Florida that has spiraling home insurance costs and insurers pulling out of the state at the same time, what part of the incentive structure or the structure of the state itself is broken?

Brian Haney: There's a few answers that. Let me start by saying Florida hurricane exposure is by far the world's largest exposure to natural catastrophe. If you look at five of the 10 costliest insured events in human history were in the last seven years in Florida. I think two of the other ones were hurricanes that were Atlantic Basin. Seven of the top 10 worst financial natural catastrophes.

Bill Mann: That's real.

Brian Haney: It's real. Structurally, there was a lot. This actually goes back to when the Fed was printing money for that long stretch of time after the Great Recession. It forced people looking for yield, asset managers looking for yield to go into alternative exotic investments, and they latched on to alternative reinsurance and insurance investments, insurance link securities, catastrophe bonds.

Bill Mann: Don't want to put a definition.

Brian Haney: Reinsurance is insurance of an insurance company.

Bill Mann: The insurers go get reinsurance. The level that they pay out starts say, $250 million or whatever.

Brian Haney: Yeah. A reinsurer effectively operates as an insurer, so that's the exact same process. But there's alternative vehicles through which you can achieve the same thing as reinsurance, and one is catastrophe bonds, which is just effectively a bet in the form of a bond that a hurricane won't happen. If a bad hurricane happens, you lose all your money, if it doesn't, you gain your yield a risk margin plus a risk for yield. The Portugal money led to asset managers getting into the insurance space indirectly. It drove down everybody's prices. If you have a house in Florida, what was probably not obvious to you was you were never paying an actuarially fair amount because there were these hidden subsidies everywhere. Now, that spigot has stopped or largely stopped. You don't have that. Then you had the pandemic and the inflation spike, and so you had a massive run up. It was really massive run-up in costs. Then now you have regulators doing what regulators usually do, which is try to lower costs by just mandating lower cost. It's economics 101, it functions exactly the way it should. Regulator comes in and says, you can't charge more than this, and then everybody else creates scarcity by pulling back or out.

Bill Mann: In Florida itself, does it have to do with the fact that there's no real way to lay off your risk within Florida with so much of the value of the land being within five miles of a coastline?

Brian Haney: I don't think it's that necessarily so much as if you are the peak area for world catastrophe, there's no.

Bill Mann: Congratulations. I guess.

Brian Haney: This is your reward. If you write catastrophe, anywhere else, if you write Japan quake or you write European flood, you can diversify away, and that tends to work because there is enough of the other stuff. You can always diversify to Florida wind. If you're writing Florida to wind, it's like its capacity is this and the next are all so far below it, that it's like just for putting up that capacity, you're going to get, let's call it a peak charge or it's like the capital providers don't have to provide capital to reinsurance or insurance in your state, and they're going to charge you for it. I think really what it is is Florida is a large state that's right in. The whole state is a catastrophe.

Bill Mann: It looks like a runway.

Brian Haney: There's just a lot of economic values there. That property market is gigantic.

Bill Mann: By the way, I want to make sure that anybody who is from Florida, we're not laughing at Florida. It is such a unique situation. But you're right, there's so much value to insure there.

Brian Haney: Yeah, and I feel bad for people who have property in Florida for this reason. You probably bought the property, assuming your carrying costs were X. But your carrying costs were subsidized. Then all of a sudden, the subsidy goes away and you had inflation. Now all of a sudden the carrying costs are three times, you're like, well, you still own the house.

Dylan Lewis: Listeners, if you're a US Motley Fool premium member, you can access all Fool Fest content at foolfest.fool.com. We'll put a link in the show note so you can find it there as well. While we were on-site at Fool Fest in DC last week, we caught up with Motley Fool members about why they love investing and why they love the fool. Here's Jason, a longtime member on why he's a fan.

Jason: Well, it's given me financial freedom and optionality in life. It has made me a better business person in my career and a better investor along the way. It's allowed me to learn. I think with the Motley Fool, has allowed me to meet some of the finest people I've ever had the pleasure of meeting.

Dylan Lewis: Listeners, we're always looking for fun ways to get your voices on the show. You can shoot us an email with a voice recording at [email protected]. That's podcasts with an S at fool.com, or you can call our hotline, 703-254-1445. That's 703-254-1445, and leave us a voice mail. You might wind up on the show. As always, people on the program may own stocks mentioned, and the Motley Fool may have formal recommendations for or against. Buy only things based solely on what you hear. I'm Dylan Lewis. Thank you for listening. We'll be back tomorrow.