Crowdstrike: it may be too early to draw conclusive crisis comms lessons

On 19th July, a global IT outage caused by a single Crowdstrike update ran amok, impacting around 8.5 million Windows devices, and disrupting banks, hospitals, emergency services, railways and airlines. With a near 24% share of the global endpoint protection market, it was perhaps unsurprising that such a seemingly small glitch could have such devastating consequences. 

Parametrix data suggest that Fortune500 companies (Microsoft aside) face insured losses of $540 million – $1.08 billion, with global insurers set to lose $1.5 – $3 billion, and aggregate financial losses potentially hitting $15 billion.

The outage, its causes and the global impact naturally dominated the media and social media agenda for a number of days. Indeed, analysis by Carma points to over 14,517 articles, 12,200 posts on X and 155m overall impressions as of 12^th August, with more than 60% of the coverage appearing in the first 48 hours.

Many ‘hot takes’ on Crowdstrike’s response have focussed on the extent to which the firm matched its operational response with empathetic communication and contrition. But from where I sit, it’s simply too early to draw definitive lessons or to say whether this case will fall into the good, bad or ugly category. Rather, here are a few key points as I see them:

1. CrowdStrike’s CEO, George Kurtz, made a pretty full and unreserved personal apology on NBC News’s early morning bulletin around eight hours after the original update, with a formal blog statement shared on X around seven hours later.

2. Many have said that Crowdstike’s initial, technically-led comms lacked detail and empathy. However, as a subcontractor to Microsoft, facing a wall of potential contractual and contingent liability across countless legal systems, the lawyers, insurers and investors will have played it off-the-scale safe in the early hours.

3. As important as empathy is, ‘operationalising’ that empathy with concrete action even more crucial. There’s an unavoidable trade-off between speed of movement in apologising/showing empathy and having enough operational remediation detail to be able to match empathic contrition with demonstrable action. Without that, even the most heartfelt apology can quickly look like warm words.

There’s an unavoidable trade-off between speed of movement in apologising/showing empathy and having enough operational remediation detail to be able to match empathic contrition with demonstrable action.

4. As of 16^th August, Crowdstrike’s stock was sitting at $260 a share, down 24% on its price of $343 on 18th July and against a high of $392.15 on 1^st July. That said, the company still enjoys an overwhelming consensus of ‘buy’ ratings. Where those metrics, market sentiment and the firm’s overall financial health head next will hinge just as much on its individual trusted relationships with customers, prospects and investors as on its overall reputational trajectory. The recovery phase will be critical, and while its highly detailed Preliminary Post-Incident Review is a good start, handing out US Dollar-denominated $10 Uber Eats vouchers that don’t actually work to staff and partners may not be the best way to go. 

5. In terms of that critical question of Crowdstrike’s turnkey relationships, much will hinge around the question of who will pay – an issue around which there is considerable ambiguity and uncertainty (other than the certainties that the legal profession will make a lot of money!). The current legal and PR standoff between Crowdstrike and Delta Airlines is likely to be just the first of many, creating ongoing uncertainty about Crowdstike’s ability to control and cap its liabilities. However, beyond the financial considerations, the question of fundamental trust and its relational impacts could be a critical driver of the company’s long-term future.

6. Come what may, we should all be on our guard against throwing too many Schadenfreude stones from inside glass houses. If risk = vulnerability x threat, remember that the potential for a catastrophic, snowballing glitch in a small chain of code is not unique to Crowdstrike. Add in the burgeoning prevalence of insider threats and cyber disruption by bad actors, and the global risk cocktail is pretty potent. Net net, Crowdstrike’s response has been pretty solid. What happens next and the lessons we can all draw are firmly work in progress.

By Rod Cartwright, Special Advisor, CIPR Crisis Communications Network and Principal of Rod Cartwright Consulting

Image: AI generated