DelCreo, Inc.

CrowdStrike Global Technology Outage - Lessons Learned

Weighing the Risks #23

Technology advances and innovation both lead to significant changes in market dynamics, industry value chains, competitive strategies, and organizational structures. New risks often emerge from the complexity, speed, interconnectedness of these new advances. Companies need to continually scan the far and near horizon for emerging risks and the evolving impacts of known risks.

CrowdStrike Incident

CrowdStrike, a cloud-based cybersecurity company distributed an update to its security software on July 19, 2024 that is believed to have been faulty and to have caused issues with computers running Microsoft Windows. Approximately 8.5 million systems crashed and could not restart properly in probably the largest computer outage in history with costs estimated to be $10b+ globally and counting. CrowdStrike’s stock price is down ~34% from its high on July 1st. Research conducted before the incident indicates that CrowdStrike has a committed customer base, and benefits from high switching costs which will tend to lock in current customers.  However, their research noted CrowdStrike has had “issues with releases that should have undergone more extensive quality control.”

Key Points

  • Industry: Cybersecurity software/ Cloud Computing

  • Company: CrowdStrike

  • Date: July 19, 2024

  • Issue: CrowdStrike Software Update

  • Specific Risk: Operational Disruption - A faulty software update by CrowdStrike caused widespread technological outages

  • Location: Global impact, with notable disruptions in the U.S., Europe, and Asia

  • Industry Sectors Impacted: Airlines, media, hospitals, government offices, small businesses

  • Users Affected: Millions worldwide, including travelers, patients, and media consumers

Lessons Learned

  • Technology trends may amplify or offset certain enterprise risks (third-party and cybersecurity risks)

  • Known risks (e.g. faulty software) may have unexpected impacts

  • Technology advances may lead to new systemic risks

Key Questions for Cloud-based Cybersecurity Customers

  • What critical dependencies and vulnerabilities exist related to our current cloud-based software providers?

  • How did we assess risks related to our third party software provider cybersecurity providers?

  • What is our third party risk profile and how is it being communicated to company leaders and the Board?

  • Do we need to update our third party risk assessment approach based lessons learned from the CrowdStrike incident?

Key Questions for CrowdStrike and Competitors

  • Did we miss signals from our customers about software updates?

  • How are we monitoring customer issues on external sites, blogs and forums? How do we assess and escalate potential issues to leadership and the Board when necessary?

  • What risk mitigations should be implemented and what should we communicate to our customers about these improvements?

  • Are customers communicating other concerns that should be proactively addressed?

  • Which customers are most likely to leave and how can we address their concerns?

  • Should we conduct an independent review of our controls over software updates?

Successful enterprise risk programs continuously scan the horizon for emerging risks and how they might impact their company. The CrowdStrike outage highlights how technology trends may intersect with each other, and be triggered by a specific incident to create global, systemic issues.

Request more information on DelCreo’s Risk Universe and risk assessment services.

As a reminder, here are our Risk Universe categories that we leverage to tackle and understand risk which include:

  • External Risk

  • Governance Risk

  • Strategic Risk

  • Product Risk

  • Business Operations Risk

  • Legal & Compliance Risk

  • Financial Risk

  • Technology Risk

We leverage our understanding of risk maps and risk universes to better advise our clients in strategic business decisions and to optimize the management of risk throughout the enterprise.

Weighing the Risks

Weekly Highlights

Three Key Ideas:

  • Federal Reserve Bank of New York President John Williams indicated that pre-pandemic economic risk factors leading to lower neutral interest rates still persist, suggesting ongoing economic stability concerns and potential adjustments in monetary policy. This emphasizes the need for close monitoring of economic data to understand inflation's impact on broader economic conditions.

  • The significant sell-off in US stock indices, driven by underwhelming results from tech giants like Tesla and Alphabet, highlights the volatility and overreliance on big tech stocks, raising concerns about market instability. Shifting investor sentiment towards smaller companies indicates potential market rotations and reflects broader economic risk factors, including lower-than-expected inflation and weakening regional activity data.

  • The U.S. consumer technology industry faces economic and industry risk factors from high inflation and slow economic growth, but the Consumer Technology Association (CTA) projects modest recovery driven by falling inflation and a replacement cycle for tech products. The deflationary nature of technology complicates revenue growth, but AI integration across sectors is expected to spur future growth, influenced by demographic shifts and evolving consumer needs.

Recommendations:

  • To address these external risks, business and risk managers should implement robust monitoring systems for economic indicators, diversify investment portfolios to mitigate reliance on high-risk sectors, and strategically plan for technological advancements and demographic changes to ensure long-term stability and growth.

Risk Universe Weekly Updates

External Risk

  • Fed's Williams Says Long-Term Trends Still Back Low Neutral Rate

    • Federal Reserve Bank of New York President John Williams indicated that the pre-pandemic economic risk factors leading to lower neutral interest rates still persist, suggesting stable long-term trends despite recent inflation. This insight underscores ongoing economic stability concerns and potential future adjustments in monetary policy.

    • Williams' comments highlight industry risk factors related to fluctuating interest rates and inflation, emphasizing the need for close monitoring of economic data between July and September as policymakers anticipate reducing borrowing costs. This period of assessment is critical for understanding the trajectory of inflation and its impact on broader economic conditions.

  • US markets suffer worst day since 2022 as Tesla and AI stocks fall

    • The significant sell-off in US stock indices, driven by underwhelming results from tech giants like Tesla and Alphabet, underscores critical economic and industry risk factors. The sharp declines in the S&P 500 and Nasdaq Composite, particularly among AI and tech stocks, highlight investor concerns about overreliance on big tech and potential market instability.

    • The shifting investor sentiment away from high-flying tech stocks towards smaller companies reflects broader economic risk factors and potential market rotations triggered by macroeconomic indicators, such as lower-than-expected inflation and weakening regional activity data. This volatility indicates a fragile risk sentiment and uncertainty surrounding future Federal Reserve interest rate cuts and the overall economic outlook.

  • U.S. consumer tech spending will grow slightly in 2024 and hit 4.4% growth in 2025 | CTA

    • The U.S. consumer technology industry is facing economic and industry risk factors, evidenced by a three-year decline in hardware revenues due to high inflation, slow economic growth, and pandemic-induced supply chain disruptions. Despite this, the Consumer Technology Association (CTA) projects a modest recovery with 1% growth in 2024 and 4.4% growth in 2025, driven by falling inflation and an upcoming replacement cycle for tech products purchased during the pandemic.

    • The industry's deflationary nature, attributed to technological advancements like Moore's Law, presents economic risk factors as falling prices for tech products complicate revenue growth. However, the integration of AI across consumer and enterprise technology sectors is expected to spur future growth and efficiency, though demographic shifts and evolving consumer needs will continue to influence market dynamics.

Strategic Risk

  • GE HealthCare to acquire clinical AI business from Intelligent Ultrasound for $51 million

    • GE HealthCare's acquisition of Intelligent Ultrasound's AI software business addresses disruptive innovation risk and company execution risk by integrating advanced AI-driven image analysis tools into their ultrasound portfolio, enhancing workflow efficiency and ease-of-use, which aligns with their precision care strategy. This move also strengthens their competitive position by expanding their AI-enabled device capabilities and accelerating AI development.

    • The acquisition mitigates brand and reputation risk and competition risk by incorporating leading AI technology to relieve sonographer burdens and improve patient care, thereby maintaining GE HealthCare's leadership in medical technology. It also addresses business model risk by broadening their AI innovation pipeline, ensuring long-term efficiencies and sustained growth in the healthcare technology sector.

  • Why Successful Leaders Are Turning to Strategic Adaptability to Stay Ahead

    • Advanced strategic management emphasizes the importance of recognizing and adapting to evolving competition risk and disruptive innovation risk. Companies must proactively anticipate industry changes and invest in continuous innovation, as exemplified by Apple's lifecycle approach to products, to maintain relevance and competitive edge.

    • Integrating digital transformation with environmental and regulatory trends addresses brand & reputation risk and business model risk. Businesses should leverage digital tools, comply with regulations, and adopt adaptive leadership to foster resilience, ensuring they can navigate uncertainties, enhance operational efficiency, and sustain growth amidst dynamic market conditions.

Business Operations Risk

  • Future-proofing operations: How tech and talent go hand in hand

    • Talent management and evolving generational needs pose significant business operations risks, including production/factory operations risk and talent management risk. Companies like Keurig Dr Pepper (KDP) face operational challenges due to labor market shortfalls, highlighting the importance of strategic workforce planning, leadership development, and flexibility in retaining a future-ready workforce.

    • Effective change management and technology integration are critical in addressing corporate IT infrastructure risk factors and ensuring business continuity. By leveraging digital tools for labor scheduling and enhancing employee engagement through reskilling and flexible work arrangements, organizations can mitigate customer support risks and business interruption risks, driving operational efficiency and productivity.

Legal & Compliance Risk

  • AI Washing Enforcement Continues, Highlighting Risks to Companies and Investors

    • The SEC's recent charges against Ilit Raz and the DOJ's parallel indictment underscore significant industry laws and regulations risk, highlighting the importance of accurate and truthful disclosures about AI technology. Companies must ensure that all statements regarding AI use are precise and not misleading to avoid severe legal consequences and regulatory scrutiny.

    • The case against Joonko illustrates the risks of business legal proceedings and inquiries, emphasizing the necessity for robust compliance with securities laws and ethical standards. Investors and companies should conduct thorough due diligence and ensure clear, consistent representations in all communications, focusing on intellectual property, privacy, and dataset acquisition issues to mitigate legal and compliance risks.

  • Oracle Agrees to Pay $115 Million to Settle Consumer Data Privacy Lawsuit

    • Oracle's $115 million settlement for privacy violations highlights significant legal and compliance risks related to industry laws and regulations, particularly regarding illegal data collection and third-party sales without user consent. The case emphasizes the importance of adhering to privacy laws, such as the California Invasion of Privacy Act and the Federal Wiretap Act, to avoid substantial legal and financial repercussions.

    • The lawsuit and Oracle's subsequent exit from the adtech business underscore critical compliance issues, including contract and licensing compliance and intellectual property risk factors. The decision to shut down data collection tools like AddThis and cease adtech operations by September 30, 2024, reflects the impact of global privacy regulations and the necessity for companies to manage their data practices ethically and transparently to mitigate legal risks.

Financial Risk

  • The Fintech Apocalypse is Here as Zombie Firms on the Rise

    • The increase in zombie companies highlights significant consumer financing risk and finance & accounting risk, as firms struggle with elevated borrowing costs and weak financial performance, resulting in higher net losses and decreased profitability. In 2023, 827 new zombie companies were identified, emphasizing the need for proactive measures to manage these financial challenges.

    • Stress tests indicate heightened capital and liquidity risk, as companies with variable interest loans face unsustainable debt levels due to higher interest rates, exacerbating fluctuations in results and forecasting risks. Smaller companies, in particular, are vulnerable, with their share of zombies rising by nearly 9% in 2023, underscoring treasury and real estate risk factors.

  • The AI hype train is still running at full tilt — just don't ask where the profits are

    • The enthusiasm and significant investment in AI technology highlight substantial financial risks, particularly fluctuations in results and forecasting risk. Despite high expectations and billions of dollars in investment, it remains uncertain if AI can generate sufficient returns, as demonstrated by companies like Google struggling to show AI's financial impact and OpenAI potentially losing $5 billion this year.

    • Capital and liquidity risk and net losses/profitability risks are evident as tech companies face pressure to justify high capital expenditures and valuations. Google's capital expenditure nearly doubled year-on-year to $13 billion, while startups like Cohere and Harvey have valuations far exceeding their revenue, raising concerns about the sustainability of their financial performance and ability to deliver expected returns.

Technology Risk

  • Early Adoption Of AI In Business

    • The "Black Box of Operationalizing AI" concept underscores significant product technology platform risk and technology platform operations risk as companies face challenges in identifying high-ROI AI use cases, the timeline of industry disruption, and factors hindering AI implementation, which can impede successful AI adoption and integration.

    • Successful AI adoption, exemplified by OpenText's efficiency improvements in content creation, highlights critical technology risk factors such as the need for clean, centralized datasets and effective change management, necessitating strong leadership and a centralized AI strategy to navigate the transformative impact of AI on business operations.

  • The Microsoft-CrowdStrike outage could spur a Big Tech trust reckoning and threaten tech giants' plans for AI

    • The CrowdStrike software issue that led to a global Microsoft IT outage underscores significant product technology platform risks and technology platform operations risks. This incident highlights the vulnerability of interconnected tech systems, emphasizing the critical need for robust cybersecurity measures and multi-layered defense strategies to prevent widespread operational disruptions.

    • The incident raises technology risk factors, particularly in the context of AI, where the potential for more severe disruptions is amplified. Experts argue for stronger government regulation and investment in security to safeguard against the risks posed by AI, as companies currently prioritize market readiness over comprehensive system reliability, leading to increased susceptibility to failures and breaches.

  • Big Tech says AI is booming. Wall Street is starting to see a bubble.

    • The substantial investments in AI by big tech companies pose significant product technology platform risks and technology platform operations risks, with concerns over the sustainability of these investments given the current lack of clear returns. Analysts are questioning the ability of AI to generate sufficient revenue to justify the billions being spent, highlighting the risk of a financial bubble if AI technology does not deliver on its promises.

    • The high costs associated with developing and running AI programs and the pressure on smaller startups to generate returns pose critical technology risk factors. Despite the potential for AI to transform industries, the current hype and speculative investment could lead to unrealistic expectations and financial instability, particularly for companies that cannot sustain prolonged periods without substantial revenue.