CrowdStrike Outage Drained $5.4 Billion From Fortune 500: Report

Cybersecurity firm CrowdStrike’s botched update more than one week ago spurred a global IT catastrophe that shut down critical services across many industries, including healthcare, travel, banking and many others.

As companies scrambled to fix the problem, which required manual, hands-on attention for each affected device, revenues took a big blow. The outage led to significant global IT disruptions, grounded airlines, and hit hospitals, TV stations, and financial markets hard.

According to cloud risk firm Parametrix, the outage caused a total of $5.4 billion in direct losses. The healthcare sector took the biggest hit, with a $1.9 billion loss while the banking industry suffered a $1.4 billion loss. Companies in each industry will likely average a loss of $43.6 million each.

“Our analysis of the CrowdStrike outage shows not only the possible extent of a systemic cyber loss event, but also its boundaries,” Jonathan Hatzor, co-founder and chief executive officer at Parametrix, said in a statement.

Cybersecurity insurance policies will only cover 10% to 20% of the revenue losses (or $540 million to $1.08 billion), according to the Parametrix report. CrowdStrike will likely be shielded from potential lawsuits, Hatzor told MarketWatch. “CrowdStrike cannot take the liability for all of the financial impact and all of their clients in an unlimited way … And it’s impossible for companies to carry so much risk,” Hatzor said.

Related:CrowdStrike Aftermath: Lessons Learned for Future Recovery

For its part, CrowdStrike said a week-over-week comparison showed 97% of Windows sensors were online on July 24 -- 5 days after the outage. Contacted by InformationWeek, the company said it did not have a further update.

Beyond the Dollars and Cents

Unfortunately, beyond the bottom-line impact, there are also deeper business wounds that should be considered, according to Allie Mellen, principal analyst at Forrester. “The losses from this incident extend far beyond IT and security,” Mellen tells InformationWeek in an email interview. “Unfortunately, in many instances it affected business continuity, which has immediate effects on customers’ and partners’ ability to access and interact with the business, and lasting effects on brand reputation, employee experience, and customer experience.”

According to Parametrix, about a quarter of Fortune 500 companies, including 100% of airlines, were impacted by the outage. About three quarters of the health and banking sectors suffered direct hits to revenue.

“Prevention is important, but risk carriers have limited control over event occurrences and service-provider practices,” Hatzor said. “The industry should focus on controllable areas, like mapping and managing aggregation risk.”

Related:CrowdStrike, Microsoft Outage Causes Global IT Meltdown

Martha Heller, CEO at executive search firm Heller Search, says CIOs are bearing much of the burden of the outage, with already heightened security tensions escalated further. “It adds real-world impact to the tension we are all feeling in an increasingly connected, global, technical world,” Heller tells InformationWeek in an email interview. “CIOs always bear the brunt of responsibilities for outages, and this will be no different.”

Can Future Events be Prevented?

Forrester’s Mellen says steps can be taken to prevent the deep damages done by the CrowdStrike outage:

She says every organization needs to request in-depth information from XDR [extended detection and response] vendors regarding kernel access (CrowdStrike’s kernel access is key to its offerings and cited as the major culprit in the widespread outage). Even if you don’t use CrowdStrike, other endpoint security vendors likely have kernel access and companies should understand the extent of that access and potential exposure.

For Heller, the CrowdStrike outage is an opportunity for IT leaders to take a broader look at their business plans. “In the age of tight partnerships between software vendors and large global enterprises, when software updates can cause major business disruption, CIOs should be reviewing their business continuity plans to ensure recovery from this particular source of outage,” she says.

Related:Cloud Strategy in the Wake of the CrowdStrike Outage

Testing, Testing, Testing

Forrester’s Mellen says companies need to consider in-house testing for content updates, but that testing comes at an expense. “At the end of the day, content updates of this kind are meant to be implemented quickly because it is protection against the latest threats seen in the wild. Extensive in-house testing for content updates can be expensive and cumbersome … ”

Mellen says the bulk of the update testing should be handled by the security vendor.

Heller says it’s important to make the distinction between a cyber security incident and a software update incident, as the responses and lessons learned will be applicable specifically to the latter. Software update events, she says, “will happen with increasing frequency as our software vendors augment their own release management automation. CIOs should take this opportunity to educate their boards on cyber events versus software update events, and what the board’s role in business continuity planning should be.”

Heller adds, “Most CIOs will be asking more questions about how CrowdStrike (and other software partners) conduct their automated software updates."