US Federal Judge dismissed a lawsuit brought by shareholders of CrowdStrike, an American cybersecurity company known for its cloud-native platform that protects corporate and government networks against hacking, ransomware, and data breaches, who claimed the company misled investors about software testing and quality controls before a July 2024 outage disabled more than 8 mn Microsoft Windows-based computers worldwide.
Robert Pitman, a US district judge in Austin, said the shareholders failed to plausibly show that statements made by CrowdStrike or its senior executives were materially false or misleading, or driven by an intent to defraud.
The challenged statements appeared in regulatory filings, earnings calls, and on the company’s website.
The suit was led by Thomas DiNapoli, who alleged CrowdStrike concealed weak testing and quality assurance practices. The complaint cited former employees who claimed the company lacked test plans and a formal QA team, and said executives prioritised speed to market over safeguards to maximise profit.
Pitman acknowledged two statements tied to compliance with federal security requirements, including those set by the Department of Defense, raised questions. Even so, he said the plaintiffs failed to plead a strong inference of fraudulent intent for either individual executives or the company.
DiNapoli oversees the $291.4 bn New York State Common Retirement Fund, among the largest public pension funds in the US.
The judge said the comptroller may attempt to amend the complaint. A spokesperson for DiNapoli said the ruling is under review.
CrowdStrike’s chief legal officer, Cathleen Anderson, said the company welcomed the court’s decision.
The case stems from a flawed update to CrowdStrike’s Falcon software on July 19, 2024, which triggered widespread system crashes affecting airlines, banks, hospitals, and emergency services.
CrowdStrike’s shares fell 32% over the following 11 days, erasing about $25 bn in market value as the scale of the disruption became clear.
Delta Air Lines said it was among the hardest-hit companies, estimating losses of roughly $500 mn after cancelling more than 7,000 flights. Delta separately sued CrowdStrike, and a Georgia state judge ruled last May that most of that case could proceed.
Judge Pitman previously dismissed a related lawsuit brought by airline passengers last June. Those plaintiffs have appealed to the federal appeals court in New Orleans.
According to Beinsure analysts, the ruling highlights the high bar shareholders face when linking operational failures to securities fraud, even after large-scale outages with clear financial fallout.
Insured losses from the CrowdStrike incident could exceed $1 bn in the cyber insurance market, though the total may be reduced to half since it wasn’t a cyberattack, according to Guy Carpenter report.
Guy Carpenter estimated that the July 19 event, triggered by a security software update, could result in insured losses ranging from $300 mn to $1 bn.
The total losses will be lower due to the accidental nature of the global outages. System failures lack many of the costs associated with malicious attacks, such as forensic experts, breach counsel, data restoration, and extortion expenses.
CyberCube estimated that insured losses from the CrowdStrike event could reach $1.5 bn. CyberCube projected a lower-end loss of $400 mn, noting that this could be the largest single insured loss event in the history of the affirmative cyber insurance industry over the past two decades.
Cyber insurers are evaluating the event’s implications but continue to offer clients consistent coverage.
Guy Carpenter’s report suggests that this event won’t lead to significant losses for most insurers, although this could change based on policy language, the concentration of underwriting in affected industries, and the adoption of System Failure coverage.
Insurers are preparing for a surge in claims notifications from clients affected by the technology outages. These notifications will likely focus on business interruption and dependent business interruption claims, according to Acrisure.
The global issue, originating from a cybersecurity update by CrowdStrike, caused computers to crash on July 19, with widespread economic consequences. Aon estimated that 8.5 million Windows devices were impacted.
Parametrix estimates the direct financial loss for US Fortune 500 companies (excluding Microsoft) from the CrowdStrike outage at $5.4 bn.
Fortune 500 healthcare companies face the largest loss at $1.938 bn, followed by banking at $1.149 bn. The six Fortune 500 airlines may see approximately $860 mn in losses.
Cyber insurance policies cover only 10% to 20% of these losses. The average loss per Fortune 500 company is $44 mn, ranging from $6 mn (manufacturing) to $143 mn (airlines).
CyberCube estimated insured losses could be as low as $400 mn. The July 19 outages might be the largest insured loss event in the affirmative cyber insurance industry over the past 20 years.
The issue started with a faulty CrowdStrike Falcon Sensor update, causing widespread outages. The $400 mn to $1.5 bn loss range would impact global cyber premiums of $15 bn by about 3-10%.
The event corresponds to a 1-in-2-year to 1-in-6-year industry loss return period, based on CyberCube’s catastrophe model and industry exposure database. The model shows potential scenarios with loss ratios up to 234% in extreme cases and 1-in-200-year return periods.
