sb.scorecardresearch
Advertisement
OPINION

Published 10:50 IST, July 25th 2024

CrowdStrike in cursed grip of corporate klutz club

CrowdStrike has lost 20% of its market capitalization in the aftermath and the decline mirrors similar collapses elsewhere.

Reuters Breakingviews
John Foley
Follow: Google News Icon
  • share
CrowdStrike Stock Plunges 15% After Global Outage
CrowdStrike Stock Plunges 15% After Global Outage | Image: AI Generated
Advertisement

One strike. Accidents happen all the time. Forgiveness, however, is granted less often. CrowdStrike, the cybersecurity software developer, marks the latest big company to gauge the willingness of investors to move past an unforeseen, value-destroying catastrophe. Others have crafted a roadmap, but not all roads lead back to rehabilitation.

What CrowdStrike CEO George Kurtz described as a “defect” in a routine update last week led to chaos everywhere from banks to hospitals. Some 8.5 million Microsoft-enabled devices were left showing the so-called blue screen of death that signifies something gravely wrong. While a bug-free version had been released little more than an hour later, flights were still being grounded by outage-stricken airlines three days later.

CrowdStrike has lost 20% of its market capitalization in the aftermath. The decline mirrors similar collapses elsewhere. A study by Australian consultant Senate SHJ looked at 70 companies that experienced a crisis, and found that the average stock-price drop was about 12%, but the results are highly dependent on industry and what specifically went wrong. Equifax, the credit-scoring agency that suffered a data breach in 2017, and German carmaker Volkswagen, whose emissions data turned out in 2015 to have been falsified, both dropped around 35% in short order.

Miners and drillers tend to suffer the worst, with an average drop of 22%, presumably because their accidents often involve loss of life. BP’s shares tumbled by half in the two months that followed the 2010 Deepwater Horizon spill. The technology industry is exposed largely because so much depends on unproven future growth. CrowdStrike was trading at 19 times this year’s forecast revenue, according to LSEG, versus just 5 times for software makers overall.

For certain, it could be worse. The easier it is for customers to get what they need elsewhere, the more painful a misstep will be. Chipotle Mexican Grill, the U.S. fast-food chain, found out the hard way when its burritos sickened diners in 2015. Within a year, the stock had fallen by almost half, during which time Olive Garden owner Darden Restaurants gained about 6%, including dividends, while Domino’s Pizza shares were up by more than 40%. It took Chipotle roughly four years to regain the equity value that had been eaten away.

In CrowdStrike’s case, its $3.1 billion of revenue last year represents only a small portion of what it defines as a $100 billion market. Despite the lack of serious concentration, it isn’t easy to switch cybersecurity providers because of how deeply embedded the software is inside a company’s systems. It means customers are less likely to defect, but it could make it harder to attract new ones, who accounted for almost half of CrowdStrike’s 34% recurring-revenue growth last year.

The type of crisis matters, too. Accounting scandals are particularly damaging because they usually reflect a culture of dishonesty, unlike a glitchy update, which can be pinned on sloppiness. In extreme cases, as with energy trader and utility Enron, the disclosure of real numbers reveals a company that is worthless. Cyberattacks are more variable. A hack on mega-bank JPMorgan in 2014 barely fazed shareholders. A data breach at Capital One Financial in 2019 erased more than 10% from the stock price in a week, but it only took roughly three months to recover.

Whatever the cause, culpability is key. A PricewaterhouseCoopers study in 2020 found that crisis-racked companies roughly split into two groups: winners, whose shares were up around 10% after 250 days, and losers, whose shares were down 15% over the same period. How management behaved in the fallout mostly determined the path.

Sometimes heads roll from the corner office. Equifax jettisoned CEO Richard Smith after a data breach which, he later said, was caused by an “individual” who had failed to heed security warnings. Wells Fargo parted ways with boss John Stumpf as the bank tried to recover from years of fraudulently opening customer accounts and other misdeeds. It’s hard to imagine a similar outcome for CrowdStrike, where Kurtz is both founder and owner of 20% of the votes.

Besides, even a full management shake-up takes time. Stumpf’s successor, Tim Sloan, was gone in fewer than three years; Charlie Scharf still hasn’t fixed the problems he inherited. Dave Calhoun, Boeing’s post-crisis CEO, is stepping down at the end of this year, and his replacement has yet to be found. The aircraft manufacturer’s shares are roughly half where they were before the first of two fatal crashes involving its 737 MAX model in October 2018.

The other way out of a crisis – inevitably – involves spending to prevent more gaffes. The poster child is probably Citigroup, the U.S. bank that has slipped on one banana skin after another, from money laundering to fat-finger trades. Boss Jane Fraser is now trying to address decades of underinvestment in systems and software, and the result is that expenses are chewing up more than two-thirds of revenue, compared with the 60% she is targeting. The bank persistently trades below its net asset value, whereas its biggest rivals command premiums to theirs.

It’s early for CrowdStrike, but the roadmap to rehabilitation is likely to involve both a hit to potential revenue and a rise in costs. Analysts expect the company’s top line to grow at an annual rate of 23% for the next five years, reaching $8.5 billion in 2029, according to Visible Alpha. But say that growth rate falls by 3 percentage points as new customers become hesitant or negotiate harder, crimping revenue to $7.6 billion. Then assume that as CrowdStrike invests to avoid any more blue death-screens, its EBITDA margin falls to 30% from 35%. That would mean profit fell by a quarter, close to what investors are implying.

Even that doesn’t factor in the hard part: convincing shareholders it won’t happen again. For every rogue actor or careless employee, there are usually many negligent or unobservant colleagues who failed to spot the problem. As Citi, Boeing and Wells Fargo have found, demonstrating a genuine change in culture is almost impossible. CrowdStrike’s task now is to persuade the market that its mishap is just a one-off, because the stain of recurring ineptitude is often very hard to remove.

Updated 10:50 IST, July 25th 2024