Learning From the CrowdStrike Outage

Editors’ Note: MarketMinder Europe doesn’t make individual security recommendations. The below merely represent a broader theme we wish to highlight.

On 19 July, a technology outage disrupted operations at scores of businesses worldwide, from airlines and hospitals to retailers and some financial services. The information technology (IT) failure spurred speculation amongst some commentators we follow about a potential future outage’s impact—particularly if the disruption were due to a large-scale hack. This scenario—and its possible damage to markets and/or the economy—has long been discussed in financial publications we read. But, perhaps counterintuitively, we think the event could actually assuage the concerns tied to those scenarios in some vital ways.

According to the news coverage we reviewed, a faulty software update from cybersecurity company CrowdStrike was apparently at the heart of the chaos.^[i] The bad file caused an error in Microsoft’s Windows operating system, rendering millions of computers inoperable—and leading to cascading, system-wide failures. Based on the accounts we read, the outage wasn’t due to a cyberattack or security breach, but it seems the disruption had a similar outcome to a hack, impacting operations at scores of industries. For example, several US airlines had to cancel flights whilst GP practices in the UK endured service interruptions.^[ii] The IT failure impacted numerous other businesses, from television stations to auto production.^[iii] Users of some smaller security trading venues couldn’t trade, and the London Stock Exchange reported some services and data weren’t available (though its securities trading wasn’t interrupted).^[iv]

19 July’s events spurred a predictable outcry amongst financial commentators we follow: When will the next IT meltdown happen and how bad could it get? With the world so interconnected and reliant on computers for everything from tracking inventories to paying for a cup of coffee, we have seen arguments that future outages risk crippling basic everyday economic activity. 

However, stocks seemed largely nonplussed. Yes, global markets have endured some volatility lately, falling -0.3% on Friday 19 July, before recovering the following Monday 22 July, and then selling off anew on unrelated earnings news, based on our observation and analysis.^[v] It is very hard to pin a modest, single-day drop on any one event, but we don’t think there is much fallout from the outage here. That markets seemed to move on isn’t to say disruptions aren’t a risk. But according to our studies, the issue appears more company-specific than market-wide—and past experience suggests it is especially so if the issue is with companies that harbor personal information.

Take the infamous 2017 data breach of US consumer credit reporting agency Equifax, which affected an estimated 147 million US consumers.^[vi] The credit bureau’s share price plummeted -14.1% after the news broke—and was down as much as -37.2% a week later before stabilising.^[vii] In our view, markets punished Equifax for its security failure, which isn’t surprising since the company’s core business is collecting and holding people’s private data. In a similar vein, US bank Capital One’s share price fell -5.3% on 30 July 2019, after word emerged of a data breach affecting more than 100 million accounts—including 140,000 Social Security numbers.^[viii]

However, we think markets also understand tech disruptions are a part of our modern, computer-dominated lives and that not all data breaches have the same business impact. For example, hackers stole credit card information from Chipotle restaurants in 2017.^[ix] Not great, but the news didn’t seem to roil the company’s stock price—in our view, the market recognised the burrito maker makes its money serving food, not safeguarding personal information.^[x] (See how E. coli and norovirus outbreaks did send Chipotle’s stock price tumbling back in 2015.^[xi]) Likewise, American retailer Target suffered a major breach that compromised the personal information of up to 70 million people in December 2013—yet instead of plummeting, its stock price actually ticked up 0.6% after the news became public.^[xii] In our opinion, broader markets also recognise individual companies’ issues don’t automatically pose macroeconomic threats. Go back to Equifax. Even as its stock price was falling like a rock, global stocks fell -0.6% the day the breach became public and were down -2.4% a week after the news broke—not nearly as severe as Equifax’s decline.^[xiii]

As for the economic impact, we don’t dismiss the inconvenience and potential hardship for individuals tied to hacks or service disruptions. For example, CrowdStrike’s failure led to flight delays affecting thousands of travelers (and likely ruining some holidays); cancelled doctor appointments and surgeries; and myriad business disruptions (e.g., some small businesses that have gone cashless had trouble taking payments). We don’t think that is beneficial for people.

That said, what we saw some call the largest IT outage in history didn’t grind the global economy to a halt. Though inconvenient, the disruption lacked the scale to halt economic activity, in our view. Consider a thought exercise from research outfit Capital Economics, which imagined a cyber attack causing output to halve for three full days—leading to an estimated hit of -0.2% to developed economies’ annual gross domestic product (GDP, a government-produced measure of economic output).^[xiv] The CrowdStrike outage appears to be much shorter and less severe than that hypothetical scenario. In our view, the fallout is likely to be akin to a natural disaster (e.g., a big storm)—typically more of a blip than a major hindrance to the global economy.

Next, we think investors benefit by thinking forward. Here is a potential unintended positive effect of this episode: Living through an outage can help reduce uncertainty. People get a taste of what it is like, and it becomes less of an unknown, which we think helps sap the shock factor. The disruption may also motivate businesses to set up contingency plans for a future outage—for instance, New York City officials credited training drills for a potential IT outage or cyberattack for why government operations held up without much issue.^[xv] Companies may also decide to diversify away from a single provider to reduce their risk (e.g., having multiple telecommunication options to contact clients). Another potential unintended effect: The CrowdStrike outage may spur even more investment and competition in the space, which means the longer-term effects could be positive for economic growth and competition.

That isn’t to say additional investment and new players with innovative ideas will prevent future outages. One is always possible. But don’t underrate businesses’ flexibility. Companies must always account for myriad risks, from outages to regulatory changes to new competitors, to ensure they stay in business. Those that can adapt best earn the profits for their dynamism, in our view.