What the 2024 CrowdStrike Glitch Can Teach Us About Cyber Risk

On July 19th, 2024, a single content update from CrowdStrike, a cyber security software company, caused more than 8.5 million systems to crash, disrupting operations for days across thousands of organizations worldwide, including hundreds of Fortune 1000 companies. The CrowdStrike “glitch,” as it became known, resulted in losses estimated to be more than $5 billion. The CrowdStrike incident is estimated to cost insurers around $1.5 billion in payouts, under business interruption, cyber, and system failure coverages. It represents one of the biggest examples of the adverse impact of aggregated cyber risk accumulation. In October 2024, Delta, one of the many affected businesses in the incident, filed a lawsuit against CrowdStrike claiming that the outage was “catastrophic.” They claimed it was the result of CrowdStrike’s “forced untested updates to its customers” and led to disruption of 7,000 flights and 1.3 million customers over 5 days. The airline claimed a loss of more than $500 million.

CrowdStrike in response, while admitting the root cause was a fault in its software update, claimed that “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure.”

In this article we examine what managers and executives can learn from this incident. We discuss the outage’s aftermath on the global state of cyber risk management, and we detail what organizations should be doing differently to prevent similar disruptions.

Companies Aren’t Prepared

The overall number of cyber incidents, and the magnitude of their impact, continue to grow and worsen, despite advances in cybersecurity solutions and increased cybersecurity spending by organizations.

According to IBM’s “2024 Cost of Data Breach Report,” the average cost of a data breach in 2024 was $4.88 million, an increase of 10%. Verizon’s 2024 annual Data Breach Report analyzed 30,458 cybersecurity incidents, of which 10,626 were confirmed data breaches — a record high.

A recent cyber risk market survey conducted by Milliman identified important gaps with significant market implications:

• A highly fragmented cybersecurity market: Multiple solution directions with limited capabilities to unify these for credible comprehensive overall cyber risk management.

• Cybersecurity decisions are based on disjointed data points: A variety of cyber scores, local assessments, and questionnaires with insufficient end-to-end cyber risk perspectives.

• Ineffective assessments of cyber risk concentration: Limited capabilities to capture cyber dependencies necessary for identifying systemic cyber risk and risk aggregation.

• A soft cyber insurance market: Cyber underwriting methods are hard to reconcile due to insufficient historical data, fast evolving threats, and too much subjectivity in making assessments.

• Limited cyber risk transparency across organizations: Supply chain cyber risk management is a big and growing challenge, and insufficient visibility is impacting cyber risk decisions.

• New cyber risk challenges introduced by new emerging technologies: AI, quantum computing, cloud computing, and other innovation, leads to evolving regulatory requirements and increased cyber risk uncertainty.

The CrowdStrike incident is an important demonstration of all of these market gaps. Below, we use the CrowdStrike event to present four fundamental questions that should be part of your regular cyber risk reviews. Not only were these questions not adequately addressed by CrowdStrike and other impacted parties, but the industry lacks the appropriate methods to properly address such questions.

Four Open Questions About Cyber Risk

1. What is the level of risk of a CrowdStrike content update? (Does it reduce or increase overall risk?)

CrowdStrike’s Falcon software is one of the leading cybersecurity solutions in the market. Content updates are CrowdStrike’s mechanism for rapidly upgrading all its endpoint deployments to reflect emerging patterns of new cyber threats. They are designed to improve overall protection.

Due to the rapid emergence of new cyber threats, CrowdStrike may issue multiple such content updates per day. Since the market introduction of the Falcon solution in June 2013 CrowdStrike has issued many thousands of content updates to its global customers, with almost no reported problems.

But the risk associated with a content update is never zero. There is always some likelihood that software bugs will be exposed and cause disruption or other adverse effects. Therefore, the risk associated with implementing a content update needs to be assessed relative to the risk(s) that are eliminated by the improved protections embedded in the update. Effective approaches for performing such systematic and quantifiable analysis are currently not available.

In its lawsuit filing against CrowdStrike, when referring to the content update, Delta made claims such as:

• “By installing its exploit in Delta systems without Delta’s permission or knowledge, CrowdStrike obstructed, interrupted, and interfered with Delta’s use of its computer programs and computer networks.”

• And, that as a result, “Delta suffered over $500 million in out-of-pocket losses from the Faulty Update, in addition to reputational harm and future revenue loss.”

No reference was made to the fact that thousands of such “exploits” (content changes) have been installed by CrowdStrike in Delta systems successfully since it became a customer in 2022. No reference was made to the overall business value that these “exploits” provided Delta over that period in the form of enhanced protection against potential cyber-attacks.

2. How should the risk of a CrowdStrike update be mitigated in an optimal manner? (Should it be applied immediately or delayed?)

The answer depends on the nature of the update and the nature of the target system (and its potential business impact). It requires a nuanced, systematic, and quantifiable balancing between the risk of adverse downstream business consequences due to a possible faulty update to that system (risk reduced as the delay is increased) and the business risk and escalation opportunities in case this system undergoes a cyber-attack without the added protection (risk grows as the delay is increased).

In its October 2024 lawsuit Delta claimed:

“When CrowdStrike deployed the Faulty Update, CrowdStrike even forced its updates onto customers who had automatic updates disabled, such as Delta. Delta had not enabled the automatic update setting, because Delta wanted to maintain the proper type of change management controls over how updates could affect its computer systems and networks.”

Indeed, CrowdStrike treated its content updates as zero-risk events. Following the 2024 incident CrowdStrike realized its risk management mistake and changed its deployment process for content updates to reflect the fact that they are associated with a level of risk which should be properly managed. Such improved transparency and customer control is clearly required. But the industry has struggled to determine what additional information should be provided and how customers can use it to make appropriate business-risk aligned decisions.

3. How to ensure an optimal level of business resiliency when a content update is faulty?

This question requires a subtle systematic risk management analysis that captures all the various cyber dependencies involved. The industry is missing effective methods for systematic reasoning and much of the current discussions are vague and ambiguous. For example, in its lawsuit Delta claims that CrowdStrike knew that its actions could harm Delta, its computers, its computer networks, and computer programs. But even the most high-quality development processes, testing, and certification, may occasionally result in some form of a faulty output.

Delta provided no specific details in its lawsuit on its infrastructure’s resiliency set-up beyond some very general statements such as, “As part of its IT-planning and infrastructure, Delta has invested billions of dollars in licensing and building some of the best technology solutions in the airline industry” or “Delta is known for its customer service, reliability, and operational efficiency.”

On the other hand, CrowdStrike and Microsoft have made general, controversial claims suggesting that Delta may have had an inferior resiliency set-up compared to other leading airlines, resulting in a longer time to recover following the incident: “Our preliminary review suggests that Delta, unlike its competitors, apparently has not modernized its IT infrastructure, either for the benefit of its customers or for its pilots and flight attendants,” according to CrowdStrike’s lawsuit.

No specific details are provided, but such cyber resiliency analysis and comparison needs to be performed in a systematic and rigorous manner to ensure credible conclusions and apples-to-apples comparisons. Furthermore, both Microsoft and CrowdStrike made some unusual resiliency-related statements, indicating that in response to the incident their respective CEOs tried to contact Delta’s CEO to offer recovery assistance.

CrowdStrike claimed that CEO George Kurtz reached out to Delta CEO Ed Bastian to “offer onsite assistance but received no response.” Similarly, Microsoft claimed that it “immediately offered to assist Delta at no charge and that its CEO Satya Nadella emailed Bastian, but never got a reply.”

While commendable, it is not at all clear how valuable CEO-level interactions are after automatic resiliency and recovery processes should have been triggered (or indeed whether Delta’s CEO even had access to his email system at that point or was it down due to CrowdStrike’s faulty update).

4. How can we ensure accountability for losses?

CrowdStrike quickly took responsibility for its faulty update and apologized to the market. With respect to its financial liability in particular disputes such as the one with Delta, CrowdStrike indicated that “its contractual liability is capped in the single-digit millions,” implying that it is not liable for most of the financial losses which are due to ineffective cyber-resilience measures by its customers.

While such specific disputes will be resolved in the pending lawsuits, we note that cyber information flow boundaries and accountability implications are generally ill-defined and often ambiguous. Furthermore, there are cyber dependencies on multiple third parties that introduce additional accountability questions. Consider for example Microsoft’s role in the dispute between Delta and CrowdStrike. What is the precise relationship between Microsoft’s commitment to test and certify all Windows kernel-access software and CrowdStrike’s faulty update?

Delta indicated that it “has reason to believe Microsoft has failed to comply with contractual requirements and otherwise acted in a grossly negligent, indeed wilful, manner in connection with the Faulty Update.” Microsoft suggested that Delta’s ineffective cyber recovery may have been due to its reliance in various ways on infrastructure providers such as IBM and Amazon. Clearly, deriving cyber risk accountability conclusions in a systematic and credible manner among respective parties requires effective analysis frameworks that don’t yet exist.

The Road Ahead: Explainable Cyber Risk Management

Although the CrowdStrike incident was not an actual cyberattack, there are many common characteristics and important lessons for all organizations related to such digital risk scenarios — whether accidental or deliberate.

Organizations should develop adequate capabilities to perform the following:

• Determine the “what-if” potential downstream business impact (direct and escalated) of a cyber event at any supply-chain partner (cyber compromises or errors). Delta and many other organizations may not have considered a-priori important potential risk scenarios such as faulty CrowdStrike updates and their potential implications.

• Establish appropriate cyber resiliency business objectives and processes for any impactful cyber event at a supply-chain partner. The wide variations in recovery times and business losses in the CrowdStrike incident implies that multiple organizations did not have adequate cyber resiliency measures in place for such scenarios.

• Assess continuously the likelihood levels and inter-dependence of cyber events (internal and external) and make timely adjustments when required. CrowdStrike allegedly did not properly assess the likelihood of potential faults in its content update processes, and consequently could not take appropriate corrective actions in time.

• Ensure effective communication (internally and externally) to provide adequate transparency as a basis for appropriate cyber risk management decisions. CrowdStrike’s after-the-fact move to enable customers’ control on when to apply content updates is a step in the right direction. But additional information on the digital risk attributes of each update needs to be shared as well, to enable customers to make optimal decisions in each case.

• Specify well-defined accountability boundaries between relevant parties related to potential cyber risk scenarios and their business implications. The CrowdStrike incident highlights significant ambiguities and inconsistencies among counterparties regarding respective cyber risk related commitments and expectations.

Most current cyber solutions in organizations focus on specific local targets but fall short of providing end-to-end cyber risk insights in a systematic, credible, and justifiable manner. A new paradigm of explainable cyber risk management is required. It must enable end-to-end scenario-based cyber risk analysis insights and maps between cyber events and business outcomes. For example, with respect to incidents such as CrowdStrike, a new approach would enable systematically assessing the business outcome scenarios of potentially faulty updates, and balancing mitigation processes and recovery processes accordingly, in a systematic and cyber-risk optimized manner.

Overall, we need better methods to develop higher levels of trust between users and service providers. Occasional unintentional technology failures are inevitable. Malicious cyberattacks will continue to grow in scale, scope, and impact with the increased global reliance on emerging digital technologies. Much more effective cyber risk management approaches are therefore urgently needed — and they must be transparent, structured, justifiable, and agile.

Copyright 2025 Harvard Business School Publishing Corporation. Distributed by The New York Times Syndicate.

Explore AAPL Membership benefits.