Interested in more of our content? Sign up for our newsletter. Sign up here:
A faulty update to CrowdStrike's Falcon sensor software caused a widespread system crash as millions of Windows computers in July 2024 suffered from the dreaded Blue Screen of Death. The incident resulted in significant disruptions, including the cancellation of thousands of flights, delays in package deliveries, and interruptions in medical procedures. While the immediate impact was resolved, the event will continue to have far-reaching implications, including the following risk areas:
Customer Risk
Third-Party Software Risk
Technology Risk
Software Revenue Recognition Risk
Customer Risk
No business likes to have serious disputes with customers. High profile disputes that play out over time in the press and legal system tend to have far ranging impacts on the reputation, customer relationships, sales, costs and shareholder value. The significant impact on Delta Air Lines and potential roles of Microsoft and CrowdStrike has continued to be front-page news. Crowdstrike and Microsoft have claimed that they are not responsible for Delta’s technology infrastructure challenges and that Delta refused their assistance. Delta is countering those claims by stating they aren't responsible for Crowdstrike’s failure. “Delta was clearly impacted at a much higher level than any other airline,” Delta CEO Ed Bastian said its “heavy reliance on CrowdStrike and Microsoft integrated into our mission-critical operational stack that triggered” their extended outages. SaaS customers will likely review existing vendor relationships. Providers should expect more difficult contractual negotiations and challenging insurance markets.
Third-Party Software Risk
According to the 2023 EY Global Third-party Risk Management Survey: “Most companies have not developed a clear roadmap, more than a quarter of financial services organizations (27%) say they have a multiyear plan with defined milestones and goals. Only 21% of nonfinancial services organizations have programs mapped out.” While most large companies have some type of third-party risk assessment process, risk leaders should anticipate questions from senior leadership and the Board about existing exposures. The scope of third-party risk assessments should be reviewed to ensure they address technical risks similar to the Crowdstrike outage, as well as strategic risks such as overreliance on key suppliers. Clear strategies should be developed for managing all critical third-party risks.
Technology Risk
Thousands of businesses and government agencies were affected globally. Delta had to cancel 5,000+ flights over the course of five days—far more than competitors, when 40,000 servers had to be manually reset. Microsoft's lawyers claimed that “Delta, unlike its competitors, apparently has not modernized its IT infrastructure, either for the benefit of its customers or for its pilots and flight attendants.”
For those organizations most affected, they should expect greater scrutiny from shareholders, regulators, and other key stakeholders on the quality and stability of their technology infrastructure.
Software Revenue Recognition
Many Software-as-a-Service companies provide a non-GAAP revenue measurement called "annual recurring revenue" (ARR). While ARR does not have a standard definition, Crowdstrike defines it "annualized value of CrowdStrike's customer subscription contracts as of the measurement date, assuming any contract that expires during the next 12 months is renewed on its existing terms." ARR is used in part to determine executive compensation at Crowdstrike and many other SaaS companies.
SaaS and other software companies may face questions about the quality of their ARR reporting and how it impacts incentive compensation for sales executive leadership.
Access our LinkedIn