Massive airline interruptions, blue screens of death in Times Square, and widespread service outages at businesses—the glitch that crashed countless millions of machines from enterprise security firm CrowdStrike beginning on July 19 has likely run up a staggering bill in direct and indirect costs.
But while CrowdStrike identified the root cause as a bug in a quality control system within hours—and it claims the vast majority of client machines now are back online—the timeline for who pays for damages is likely in months or years.
A hazy timeline
Taz Koujalgi, a managing director of equity research at Wedbush Securities who specializes in the enterprise software sector, told IT Brew the outage was “way wider than anything we have seen,” with total losses, though unknown exactly, in the billions of dollars.
“I don’t think anyone has a good answer on the number, and who’s going to pay for that number,” Koujalgi said.
Software companies usually include language limiting liability in licensing agreements. Several law firms reportedly are already exploring filing class actions—and Delta Air Lines appears to be considering its own suit—but class actions typically take years to resolve, according to ClassAction.org.
“Software companies and anyone who provides critical technology services—they do a fantastic job of limiting their liability,” Ryan Griffin, a partner at specialist insurance brokerage McGill and Partners’s US financial lines and special risk team, told IT Brew.
According to Koujalgi, the first clear indicator of whether or not CrowdStrike expects to pay a considerable amount in damages may be its upcoming Q2 2025 financial report on August 28, as execs will likely “adjust the cash flow guidance to account for the damage they have to pay.”
“We are aware of the reporting, but have no knowledge of a lawsuit and have no further comment,” Kevin Benacci, CrowdStrike’s senior director of corporate communications, wrote in a statement sent to IT Brew. “CrowdStrike’s top priority continues to be on our customers.”
No payday today
Most policies that might cover the CrowdStrike outage fall into categories like cyber liability, business interruption, or errors and omissions. However, insurers typically attempt to collect against whoever underwrote the party that triggered an event, and CrowdStrike’s insurance is “all the same risk pool for the purposes of this event,” Griffin said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Precedent for errors and omissions coverage in the software industry typically relates to failed technology implementation projects, and “insurance companies historically underwrote cybersecurity posture, not IT resiliency,” according to Griffin. He expects insurers to re-evaluate the degree of scrutiny they apply to IT processes.
Because the vast majority of affected customers have restored operations, Griffin estimated total insurable losses at half a billion to 1.2 billion dollars (a “near miss” at a catastrophic event). On July 24, Fitch Ratings projected there will be no more than $10 billion in such losses.
Only some insurance products pay out quickly, Griffin cautioned.
“It’s a negotiation with your insurance company,” Griffin said. “They don’t just take your word for it that—‘Hey, you showed me some accounting statements.’”
Stuck with CrowdStrike
Wedbush technology analyst Dan Ives told CNN the firm expects less than 5% of CrowdStrike’s current customers to leave, citing the brand’s entrenched status in the enterprise market and the additional costs of a software migration. While CrowdStrike stock has plummeted, Marketwatch reported analysts have largely described the upside for competitors as being limited.
“Remember, when a company buys a software product, they’ve spent years testing it, they’ve spent years selecting it, they’ve spent a lot of time deploying it, they’ve spent a lot of time training their people,” Koujalgi said. He suggested dissatisfied CrowdStrike customers might instead limit future purchases or diversify their cybersecurity vendors.
“There’s only so many good products out there that large organizations can and want to use,” Griffin said. “They’re not going to try to blow up that relationship over what looked to be an error…in all likelihood, you’re going to just see a lot of CrowdStrike trying to settle.”