CrowdStrike's $5.4B IT Outage Damage, Why I am Buying The Fear?
CrowdStrike's unprecedented challenge and opportunity. Why I bought the fear at $205/share.
Hi, I am Trung. I deep-dive into market leaders with my sleep-well checklist. I follow up on their performance with my Thesis Tracker updates, and when the right price comes, I buy them for the Sleep Well Portfolio, which I am building for my daughters to redeem in 2037. I disclose my reasoning for all BUY and SELL (ideally never). Access all content here.
Hi, sleep-well investors,
Two months ago, I was fortunate to trim my position at $381/share. Since then, CrowdStrike’s market valuation has been cut in half due to the global IT outage it caused.
I reflect on the long-term impact and my remaining ownership of CrowdStrike.
Crowdstrike was the leader in endpoint security, boasting the fastest threat detection capability and 6x return on investment for customers thanks to its superior cloud-first, AI-native, and lightweight agent architecture.
Nearly 30,000 enterprise customers flocked to the platform since its IPO in 2019, of which 65% are adopting more than 6 modules. The annual recurring revenue grew by 60% CAGR to reach $3.6B, estimated to increase by 20% over the next 5-10 years. CrowdStrike enjoyed a premium multiple of up to 150x FCF and never dipped below 30x post-Covid.
Until the global outage two weeks ago, however, everything CrowdStrike had achieved was put into question.
The event was well-documented. After an initial review of the impact, I cautiously concluded that I would only add CrowdStrike at a specific price, given that it wasn’t a security breach but an internal (reparable) DevOps incompetency.
I am cautiously placing an order to buy CrowdStrike but only at $285/share or lower, where the expectations of the business performance are reduced to 15% free cash flow growth for the next decade, above the market growth rate for cyber security market at around 10% CAGR. I’ll continue to monitor how the company deals with the issue going forward and reflect accordingly.
After much reflection (and a short holiday), I still believe CrowdStrike can recover from this unprecedented challenge. This is driven by management's strong incentive and early evidence of thorough remediation actions on the Post-Incident Review analysis.
As such, this is how I view CrowdStrike in the next few quarters and years and my plans for my existing ownership.
Short-term view
PR and competitors will take every opportunity to create headlines and attack CrowdStrike.
SentinelOne’s CEO, Tomer Weingarten, recently took a stab.
This is a product of bad design, bad design decisions....This is not just an honest mistake. It's a result of how the architecture was used — or maybe even abused, I would say...This is not force majeure. This is bad architecture.
That’s to be expected, given that CrowdStrike CEO and co-founder George Kurtz has openly criticized SentinelOne’s platform in recent years (read my Q1’24 review, Fal.con review).
For now, the market will ensure CrowdStrike's terrible mistake in its sales pitch, and impacted customers will want CrowdStrike (and Microsoft) to pay the price.
Since then, CrowdStrike has lost over 45% of its market value, the third-largest drawdown behind the 60% drawdown in 2023 and 2020.
The last two times were industry-wide, but this time is different. Will CrowdStrike crumble from this debacle?
Let’s address the elephant in the room.
What is the total damage CrowdStrike caused?
It was estimated that CrowdStrike has cost Fortune 500 companies as much as $5.4 billion in revenues.
The healthcare and banking sectors were hit the hardest at around $2B and $1B, respectively. (Parametrix)
Meanwhile, airlines such as Delta, American, and United Airlines are thought to have collectively lost $1.3B. Delta was the first high-profile company to announce its hire of lawyers to recover the damage. I expect more of the same ‘bad’ news to come as more companies follow suit.
This is more than the $3B cash on hand and the $1B free cash flow.
Fortunately, to CrowdStrike, I don't see how companies can claim damages directly. I believe cyber insurers would bear most of the cost. Yes, legal fees could be high. But it’s likely in the millions, not billions, and it’s a one-off.
I am more worried about the loss of new customers, the fall in retention of existing ones, and the unwillingness to own the mistake and learn from it. These are the longer-term impacts.
Ownership view
As a part-owner of CrowdStrike, I would want George Kurtz and his team to focus on improving the internal process and using it as a sales opportunity, even if it means lower margins and market share in the next 12 months.
“There’s no such thing as bad publicity,” P.T. Barnum
Or, as Oscar Wilde put it:
“There’s only one thing in the world worse than being talked about, and that is not being talked about.”
There are two overarching questions I tried to answer as an outsider.
Can the company recover and adapt?
Can I still trust the management?