The Failure Heard Round the World: Portfolio Management Lessons from CrowdStrike’s Recent Failure

Prior to July 19, CrowdStrike (Ticker: CRWD) was widely regarded as a leader within the cybersecurity industry. Their innovative technology, strong financial performance, and visionary leadership positioned them as an industry darling and a favorite among analysts and investors alike. However, CrowdStrike’s recent failure serves as a stark reminder of the vulnerabilities inherent in our increasingly interconnected economy as well as the importance of adhering to appropriate risk management strategies in portfolio management.

Cybersecurity Titan and Industry Darling

Before what was called one of the widest IT outages in recent history, CrowdStrike was a favored firm within the cybersecurity industry. Founded in 2011 by George Kurtz, Dmitri Alperovitch, and Gregg Marston, CrowdStrike quickly became a leading provider of cloud-delivered endpoint protection. The company's flagship product, the CrowdStrike Falcon platform, combines next-generation antivirus, endpoint detection and response (EDR), and threat intelligence to provide comprehensive protection against cyber threats. CrowdStrike's innovative approach to cybersecurity, leveraging artificial intelligence (AI) and machine learning to predict and prevent breaches, set it apart from traditional security companies. Their ability to deliver real-time protection and visibility across enterprise environments made them a preferred choice for many Fortune 500 companies.

Leading up to July, CrowdStrike demonstrated strong financial performance, characterized by its impressive revenue growth over the last several years. In January 2023, the company reported revenues of $2.2 billion, a 54.4% increase in revenues from the year prior. This growth trajectory continued into 2024, with the company projecting revenues to reach just under $4 billion by January 2025. Analysts and investors appeared confident in the company's ability to generate sustainable growth and deliver long-term value. Wall Street analysts favored the company within the technology sector, and more specifically in the cybersecurity subindustry. Analysts praised CrowdStrike for its cutting-edge technology, solid market position, and the visionary leadership of CEO George Kurtz. Before the incident, most analysts who covered the company had a "Buy" rating on CrowdStrike's stock. Their price targets ranged up to $520 per share, and they cited the company's rapid customer acquisition, high retention rates, and expanding product offerings as key drivers of future growth.

Beyond analysts, broad investor sentiment towards CrowdStrike was overwhelmingly positive. The company's stock was a favorite among growth-focused investors, who were drawn to its value proposition and promising growth trajectory. CrowdStrike's market performance reflected this confidence, with its stock price experiencing significant appreciation over the years. As of June 30th, CrowdStrike's market capitalization exceeded $90 billion, demonstrating a year-to-date (YTD) return of approximately 50.1% and a one-year return of 160.9%. The company's stock had consistently outperformed the broader market, with an annualized return of 15.1% and 41.0% over the last three and five years, respectively.

CrowdStrike's reputation was further bolstered by its dedication to consistent innovation. The company's commitment to staying ahead of emerging threats through continuous improvement and innovation in their Falcon platform earned them numerous accolades and industry awards, including five awards at the SC Awards Europe 2024 (Best Cloud Security Solution, Best Endpoint Solution, Best AI Solution, Best Threat Intelligence Technology, and Best Incident Response Solution), and Best Enterprise Security Solution and Best Managed Detection and Response Service at the SC Awards in 2023.

Their proactive approach to cybersecurity, coupled with their ability to provide actionable threat intelligence, positioned them as leaders in the field. The use of AI and machine learning to detect and prevent cyber threats in real-time set a new standard in the industry and the company’s cloud-native approach ensured that its solutions were scalable, efficient, and capable of protecting even the most complex enterprise environments.

CrowdStrike’s Failure

CrowdStrike's ability to secure contracts with high-profile clients, including just under 300 of the Fortune 500 companies, was a testament to its reliability and effectiveness. Its customer base spans multiple industries, including eight of the top 10 financial services firms, and seven of the top 10 manufacturers. In 2016, CrowdStrike worked with the Democratic National Committee (DNC) to investigate a suspected hack by Russian intelligence-affiliated adversaries, and in 2021 it was selected by the U.S. Cybersecurity and Infrastructure Security Agency as one of the major platforms to support some of the agency’s security initiatives. However, on July 19, 2024, CrowdStrike’s otherwise promising trajectory took a major hit when a massive tech outage was triggered by a routine software update.

What Happened on July 19, 2024?

CrowdStrike's update, intended to refresh the code in its threat-detection software, contained a critical flaw that prevented Microsoft Windows-based systems from starting. The issue was linked to a specific content deployment in CrowdStrike’s Falcon sensor, which led to the infamous "Blue Screen of Death" (BSOD). The resulting widespread system instability led to significant disruptions across various sectors, including airlines, financial institutions, healthcare providers, and government services.

This global disruption affected approximately 8.5 million devices (or roughly 1% of all Microsoft devices). Nearly one in four Fortune 500 companies experienced a service disruption because of the BSOD. Major airlines, including Delta Air Lines, United Airlines, and American Airlines, were forced to halt departures, with over 5,000 flights cancelled in the direct wake of the incident. Banks, government entities, and corporations experienced significant tech issues, with some hospitals and school districts reporting downed computers. The incident even disrupted 911 emergency services and delayed court proceedings in various jurisdictions.

CrowdStrike CEO George Kurtz issued an apology, stating that the issue was not a security incident or cyberattack but rather a bug in a routine update. Despite a quick deployment of a fix, the manual process required to restore affected systems meant that some users would face prolonged outages.

Lessons for Portfolio Management

As with any event, there are always lessons and reminders that can be taken into the future. As highlighted in the section above, businesses and individuals alike must prepare for potential technological disruptions. This includes having contingency plans and ensuring that cybersecurity measures are robust and regularly updated. Beyond this, the CrowdStrike failure also serves as a reminder of the importance of risk management in portfolio construction and investment management.

Market Impact and Broader Business Implications

As businesses increasingly rely on cloud-based solutions and automated tools, the potential for widespread disruption grows. Specifically, CrowdStrike's dominance in the cybersecurity market, holding about 15% of the security software market in 2023, illustrated the concentration risk inherent in relying on a few major providers for critical services. The incident has already prompted increased regulatory scrutiny of cybersecurity practices across various sectors. Governments and regulatory bodies emphasized the need for stringent cybersecurity standards and protocols to protect critical infrastructure.

A recent report by Parametrix estimates that the CrowdStrike failure likely led to a combined $5.4 billion loss across the impacted Fortune 500 companies, with the average affected company losing an estimated $43.6 million. The healthcare sector took the biggest collective hit, losing approximately $1.9 billion due to the outages, while airlines lost approximately $860 million.

As noted, the widespread impact of the event highlighted the need for diversification in technology vendors to mitigate such risks. Since the onset of the pandemic, many companies have been working to consolidate their tech stacks after rapidly spending and acquiring tech solutions they needed to transition to remote work. However, following the CrowdStrike failure, there has been a push for corporations to mitigate this risk. For example, Tenable CEO Amit Yoran stated “[m]uch as you diversify your portfolio, you have to diversify the technology infrastructure you use to ensure that it is resilient.”

While the immediate disruption highlighted the vulnerabilities within our interconnected technological landscape, it also underscored essential investment principles that can help hedge against risks and increase portfolio resilience. For investors, the key lesson is the importance of staying vigilant and proactive in managing portfolio risks. This includes diversifying investments, maintaining a disciplined approach to selling overvalued stocks, and continuously assessing both systematic and idiosyncratic risks.

Due Diligence and Continuous Monitoring

CrowdStrike’s failure serves as a stark reminder of the importance of thorough due diligence, while also spotlighting the impossibilities of predicting all outcomes. Due diligence involves examining a company's management team, understanding its business model, assessing its competitive landscape, and identifying potential risks. For CrowdStrike, understanding the technical aspects of its cybersecurity solutions and the implications of its software updates could have provided insights into potential vulnerabilities.

Prior to the incident, CrowdStrike was perceived as a relatively low-risk investment within the cybersecurity sector. The company’s proactive approach to threat intelligence and its ability to stay ahead of emerging cyber threats were viewed as key strengths. However, the broader cybersecurity reports did acknowledge the increasing sophistication of cyber adversaries and the potential for unexpected vulnerabilities to be exploited. According to CrowdStrike’s 2024 Global Threat Report, there was a dramatic increase in the velocity and sophistication of cyberattacks, with adversaries leveraging stolen credentials and exploiting cloud environments at unprecedented rates. The report highlighted a 75% increase in cloud intrusions and emphasized that adversaries were operating with greater stealth and speed than ever before.

While due diligence would have highlighted the rapid evolution of cyber threats and the potential for unforeseen vulnerabilities, the specific incident involving CrowdStrike’s software update was not easily predictable. The company’s strong financial performance and positive analyst ratings contributed to a perception of low-risk, underscoring the importance of continuous monitoring and adaptive risk management. However, even with continuous monitoring, the unpredictable nature of software bugs and the rapid evolution of cyber threats make such incidents difficult to foresee, even for industry leaders.

This event revealed the potential risks associated with even highly regarded companies. Investors must conduct comprehensive research, not only into a company's financial health and growth prospects but also into its operational and technological vulnerabilities. Additionally, investors should continuously monitor their investments and stay informed about developments that could impact their portfolio holdings.

Idiosyncratic vs. Systematic Risk

The CrowdStrike incident also provides a clear illustration of the interplay between idiosyncratic and systematic risks in the context of cybersecurity and the broader market. From the perspective of a CrowdStrike investor, the event is a classic example of idiosyncratic risk—which can generally be thought of as the risk specific to a single company or event. The flawed software update led to a significant operational disruption, impacting CrowdStrike's business and reputation. CrowdStrike's stock took a significant hit, dropping 13% in the immediate aftermath on Friday (July 19), ending the day down approximately 11.1%. The stock took another significant hit on Monday (July 22), dropping approximately 13.4% by the end of trading, and remains down 24.6% as of July 29. Moreover, the market capitalization of CrowdStrike has fallen to approximately $66 billion, with the stock pricing hovering around $234 per share on July 29 (more than $100 less than it closed at the day preceding the event).

However, beyond the obvious impact to CrowdStrike, the outage underscored the economic risks of reliance on centralized technology solutions beyond the impact on a single company, as well as the potential for single points of failure to cause widespread disruption. It also highlights the tension between the need for rapid updates and the risk of introducing flaws that can have catastrophic consequences. Specifically, systematic risk affects the broader market or economy and is generally unavoidable. The nature of modern economies means that an incident at one company, like CrowdStrike, can have ripple effects across multiple sectors.

The widespread use of CrowdStrike’s Falcon platform, combined with the ubiquity of Microsoft Windows, meant that this particular disruption had a global impact. The reliance on a single cybersecurity provider by a significant portion of the Fortune 500 companies amplified the impact of the event, making it a case study in the potential systemic vulnerabilities within the tech sector. As outlined above, CrowdStrike’s failure had broad market consequences, negatively impacting investor sentiment, and leading to increased volatility. While we have yet to see significant sell-offs in impacted firms, the impact may be delayed while companies seek to understand their resulting losses from the disruption. While the largest impact was felt by CrowdStrike, rival cybersecurity companies, including SentinelOne (S) and Palo Alto Networks (PANW) saw their shares rise as investors reacted to the event.

Investors must differentiate between these risks and employ strategies to manage them effectively. For example, while diversification can reduce idiosyncratic risk, systematic risk requires broader asset allocation and hedging strategies.

Diversification and Concentration Risk

The disruption and subsequent stock price drop associated with the CrowdStrike failure underscored the dangers of over-reliance on a single company or sector. Diversification involves spreading investments across various asset classes, sectors, and geographies to reduce exposure to any single risk. This strategy helps mitigate the impact of idiosyncratic events, like the CrowdStrike event, and provides a buffer against broader market volatility. Investors should ensure their portfolios are well-diversified, avoiding excessive concentration in high-performing but potentially vulnerable stocks.

Although holding concentrated positions in high-performing stocks can lead to significant gains, such as those recently seen in NVIDIA and CrowdStrike, there are risks associated with having a concentrated portfolio. For example, these positions are more vulnerable to idiosyncratic (or company-specific) risks, as seen in the CrowdStrike incident. Moreover, these concentrated positions can lead to portfolios that experience higher volatility and larger drawdowns during market corrections, with the overexposure possibly leading to substantial losses if the sector or stock underperforms. In fact, the Fortune 500’s overreliance on CrowdStrike parallels the concentration risk seen in financial markets, particularly within major indices like the S&P 500. Last year’s “Magnificent 7" drove much of the market’s performance, making up over 25% of the S&P’s holdings and more than 75% of the S&P’s gains for 2023. Such concentration is great when the market moves in the portfolio’s favor but can lead to heightened volatility and systemic risk when disruptions occur. For example, although the Magnificent 7 stocks had outsized gains in 2023, they also had substantially larger drawdowns in 2022 compared with the broader market when the Federal Reserve hiked interest rates at its fastest pace in nearly 40 years.

Effective position sizing plays an important role in managing portfolio risk and mitigating concentration risk. Position sizing refers to the amount of capital allocated to a particular investment within a portfolio. Proper position sizing helps to ensure that no single investment can disproportionately impact the overall portfolio. Specially, Investors should set limits on the percentage of the portfolio allocated to any single stock, adjusting these limits based on the stock's volatility and the investor's risk tolerance. Investors can deploy regular portfolio rebalancing to help maintain these limits and ensure that no single position grows too large, exposing the portfolio to unnecessary risk.

Trimming Winners to Protect Gains

As discussed earlier, before the CrowdStrike failure the company’s stock had experienced significant appreciation, making it a top performer in many portfolios. However, it’s rapid depreciation following the event highlighted the importance of trimming winners to manage risk and protect gains. The concept of trimming winners involves strategically selling a portion of appreciated assets to reduce exposure to stocks that have performed exceptionally well, locking in gains and managing risk.

To trim winners, one method is simply rebalancing your portfolio when one of your holdings has exceeded its position limit, especially when caused by rapid or significant price appreciation, to maintain your desired allocation. Investors who allowed CrowdStrike to grow beyond the recommended position limit of their portfolio faced significant losses when the stock dropped over 23% in the two trading days following the incident. Trimming the position earlier could have curtailed these losses and regular rebalancing would have helped maintain appropriate exposure to CrowdStrike, also potentially preventing overconcentration. However, choosing the appropriate time to trim your winners requires adherence to your predetermined risk and return discipline and philosophy, particularly since there is empirical evidence that winners continue to win.

Outside of rebalancing, investors may utilize rules-based criteria such as valuation metrics or price performance. For example, looking at historical P/E (price-to-earnings) trends, investors may look to trim a position if an investment’s P/E ratio becomes significantly higher than its historical and or industry average. Prior to the incident, CrowdStrike's valuation metrics, such as its P/E ratio, were significantly higher than industry averages. A rules-based approach to trimming on valuation could have been useful in this case regardless of the reason related to the stock price plunge. If valuation trimming is not appropriate, a simple approach could be to place stop-loss orders for securities that have appreciated significantly. By placing a stop-loss order, an investor can instruct a sale at a certain price below the current market price for a certain number of shares. In this case, a stop-loss order may not have triggered on the first day drop but could have prevented further losses on day two.

However, while trimming your winners is recommended for good portfolio management discipline, it is important to be mindful of tax implications related to selling. For example, if an investment has been held for under a year, short-term capital gains tax rates will apply, which are usually higher than long-term rates. The risk management techniques highlighted above are oversimplified and there are several more that may be appropriate for different types of investors. Working with a professional to achieve proper portfolio risk management is highly advisable.

Conclusion

The recent CrowdStrike failure serves as a powerful reminder of the complexities and interdependencies in today’s economy as well as the operational risks associated with technology companies. The widespread impact of this event underscores the interconnectedness of modern markets and highlights the importance of robust risk management practices, diversification, and continuous monitoring in building resilient investment portfolios. By learning from such events, investors can better navigate the uncertainties of the market and help safeguard their investments. In an increasingly interconnected and volatile economic environment, these principles are more important than ever for creating portfolio resilience and sustainable long-term performance.