After the chaos of Friday’s global IT outage – without doubt the worst the world has seen – questions are starting to be asked about who, if anyone, will pick up the bill.
Somewhat surprisingly, particularly given its share price has doubled during the year and was trading on a stratospheric rating, shares of CrowdStrike, the company at the heart of the outage, fell by only 11% having been down by twice as much during pre-market trade.
That suggests investors are reasonably confident that the company, previously a darling of Wall Street, will be able to salvage its reputation after this disaster and, more importantly, is not going to be on the hook for compensation.
There are several reasons for this.
The first is that it is impossible, this soon after the outage, to establish the sheer quantum of losses arising from it.
Secondly, even if a business or an individual consumer has been affected by the outage, it will not necessarily be straightforward to prove that any losses incurred were as a result of the outage.
Thirdly, there is an expectation that CrowdStrike will be covered by insurance.
Claiming for air travel losses
Among the heaviest losses are likely to be in the aviation industry as it appears to have been the sector most badly affected.
Even here, though, claiming for losses is unlikely to be clear-cut and especially for airline passengers.
One key issue here is where passengers were looking to travel to and from – with the rules differing between the US and the EU on what compensation is available. It will also be unclear who passengers look to claim from.
While refunds should ordinarily be sought in the first instance from the airlines themselves, the airlines – as the consumer advocacy group Which? pointed out – may argue that they are not obliged to pay compensation for delayed or cancelled flights because these were “extraordinary circumstances”.
That may leave some passengers who booked via a credit card having to see whether they enjoy recoverable cost protection. Expect, also, rows over whether passengers with travel insurance enjoyed travel disruption cover – which not all such policies do.
Insurers themselves suffered some of the worst share price declines on the back of the outage. Among the biggest fallers on the FTSE-100 yesterday was Beazley, the Lloyd’s of London insurer, which provides insurance against business interruption and cyber security attacks. Also lower was its peer Hiscox.
Yet the latter’s experience during the pandemic – when it was slammed by small businesses, particularly in the hospitality sector, for not paying out on some business interruption policies – is a guide to what may happen here.
Hiscox and some of its peers argued that the wording of these policies did not oblige them to pay out.
Although a negotiated settlement was achieved under the auspices of the courts and the Financial Conduct Authority, some businesses were left out of pocket. It would be startling were the insurers not to have learned from that episode and tightened up on policy wording.
So it is by no means certain that the losses incurred from this event are even insured. Where they are, it will probably be under a cyber policy specifically covering a loss of income due to an interruption in the service of a third-party provider.
The wording might also specifically refer to a malicious attack on a software or IT services provider and also to the amount of time that a system has been down. Many such insurance policies only cover losses after a system has been out of service for between six to 12 hours.
Financial services compensation
Another key area for compensation is likely to be in the financial services sector even though it seems not to have been too badly affected.
Some brokerages around the world – most notably in India, where markets were active when the outage first struck – are said to be facing compensation claims from clients who incurred losses because they were not able to get out of their positions.
However, disruption to financial markets was kept to a minimum, as Jennifer McKeown, chief global economist at Capital Economics, told clients yesterday: “Those sectors operating with strong IT support systems will be best placed to experience only minor, short-lived effects.
“This might explain why there has been little impact on financial markets so far – note, for example, that the London Stock Exchange claims to have been almost unaffected.”
She said another reason for the muted impact in markets was because George Kurtz, the founder and chief executive of CrowdStrike, had ruled out the possibility of a cyber attack.
That said, analysts still expect a considerable hit to CrowdStrike itself, not least in terms of the cost in rectifying the problem and subsequently investing to rebuild its reputation. The company had a famously large marketing budget.
‘There will be financial consequences’
As Keith Bachman, senior research analyst at BMO Capital Markets, told clients: “We believe there will be financial consequences from this issue.
“As one example, we think customers will be seeking relief and compensation from damages, which we think could include discounts or credits for both new contracts and renewals.
“Hence, we think there could be an impact on growth rates and cash.”
Some analysts, though, think the broader IT sector could benefit from the outage as customers rush to invest in continuity preparation.
Shaun Eyal, managing director and senior analyst covering the communications, security, and infrastructure software sectors at broker TD Cowen, said: “Enterprises are likely to examine their incident response capabilities and the need to carry backup plans.
“We envision an emergency-driven spending cycle.”
So it is far from clear what the financial consequences of this outage will be – less still who will pick up the tab.
It is a noted phenomenon that, after a notorious gun crime in the US, sales of guns go up and, with them, shares in manufacturers of firearms and ammunition.
It would be similarly ironic were the IT sector to benefit from increased spending by clients following this outage.