Motley Fool Money - :( Your PC Ran Into a Problem
Episode Date: July 22, 2024CrowdStrike’s update caused problems and blue screens of death for mission-critical operations across the economy. What does it mean for the cybersecurity company and the access tech providers will ...have going forward? (00:21) Tim Beyers and Dylan Lewis discuss: - The details of the global IT outage over the weekend and CrowdStrike’s response. - CrowdStrike’s unique root access and whether vendors will continue to be allowed such deep access to customer Windows systems. - Whether CrowdStrike is worth buying on the sell-off, or if management has something to prove first. (17:16) President and COO of Kinsale Capital Brian Haney talks Bill Mann through how retail investors can judge financial companies and why insurers have such a tough time in states like Florida. Companies discussed: CRWD, MSFT, KNSL Our conversation with Brian Haney was from FoolFest 2024 – members can catch the full interview and everything from our FoolFest digital pass at foolfest.fool.com. Host: Dylan Lewis Guests: Tim Beyers, Bill Mann, Brian Haney Producer: Ricky Mulvey Engineer: Tim Sparks Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
This episode is brought to you by Indeed.
Stop waiting around for the perfect candidate.
Instead, use Indeed sponsored jobs to find the right people with the right skills fast.
It's a simple way to make sure your listing is the first candidate C.
According to Indeed data, sponsor jobs have four times more applicants than non-sponsored jobs.
So go build your dream team today with Indeed.
Get a $75 sponsor job credit at Indeed.com slash podcast.
Terms and conditions apply.
You get a blue screen of death, and you get a blue screen of death.
Motleyful money starts now.
I'm Dylan Lewis, and I'm joined over the airwaves by Motleyful analyst Tim Byers.
Tim, thanks for joining me.
Thanks, Dylan.
That's rough, man.
Nobody wants a blue screen of death.
Nobody wants them.
Nobody wants it.
And yet, blue screens of death everywhere over the last couple days.
That is going to be the theme of today's show.
Catastrophies of every kind.
We are checking in on the largest IT.
outage. We're also going to be getting a little bit of commentary on the insurance industry
and how they handle catastrophes on today's show. Let's start with the unavoidable one here, Tim.
The largest worldwide IT outage hit Friday. Went well into the weekend. Some airlines and I think
some other businesses still dealing with issues on Monday. We know that the issue was Crowdstrike.
We knew that on Friday, still piecing information together. But we have a little bit of a better
grip on things now. I think to kick us off, can you walk through what has?
happened? Yeah. So, this was, I mean, it's, unfortunately, this was a software update that was a bad
update. To put it, I mean, if we're going to be blunt about it, that's what happened. And CrowdStrike is in
a boatload of devices around the world, but it only affected Windows devices. So, this is from
the CrowdStrike technical blog. This was July 19th at about 409, and that is UTC.
and I think that was like noontime, Eastern or something like that.
I'm sorry, midnight, not noontime.
So it was a what CrowdStrike calls a sensor configuration update,
and this was to Windows systems,
and sensor configurations are part of how CrowdStrike collects data for Falcon.
It triggered what's called a logic error,
and that ended up crashing Windows systems,
and everybody got the blue screen of Dead.
here. So this was a file. It was called Channel File 291, and it controls how the CrowdStrike Falcon
security platform. So again, what CrowdStrike Falcon does, and it's most basic, this endpoint protection
device, there on every device that is protected, there's a little bit of CrowdStrike software.
And so this software, this file, this channel file, is pushed to that software that exists, in this
case on a Windows device. And that Falcon software evaluates things like, you know, certain threats.
And in this particular case, there was a threat that was after what's called, you know, named pipes and
named pipe execution on Windows systems. And they were looking at a, you know, trying to update for
malicious targeting of these, this particular part of the Windows systems.
and it just went horribly, horribly wrong, Dylan.
So this logic error does appear to be, this is the way Tim White described it to me,
is that if it's a logic error, it probably overflowed some memory and cause the OS to just be
unable to continue loading.
So in other words, in comes some instructions.
And the OS said like, whoa, whoa, whoa, hey, that's too much.
Hang on here.
And it just caused a blue screen of death doom loop that caused the OS to say like, hey, you got to restart and then you restart.
And now you have the same problem.
And so, like, nothing is happening here.
You just have a continual loop of doom here until you remove that particular file.
Crowdstrike has taken steps to show people how to get that file out and fix the problem.
problem. But yeah, it's caused a huge amount of headaches here, Dylan.
The dreaded blue screen of death did show up in a few places. Probably not a welcome sign
for some of the weary airline travelers. It did show up in some critical systems like
health care and banking, in addition to airlines. You mentioned the Crowdstrike blog post.
We did get some commentary on this from management at Microsoft. And according to them,
the update affected 8.5 million Windows devices, which sounds like a lot.
but they estimate that that was less than 1% of Windows machines.
So as bad as this was, it actually could have been quite a bit worse.
For sure.
I mean, but that's still a lot of machines, and those machines were working in critical operations for healthcare, airlines, transportation.
So the scale of the outage in terms of the systems that it impacted.
So we could agree, like, yeah, okay, maybe not as many machines as it could have been, but the machines it did hit were mission critical machines at really awful times and caused a huge amount of headache for a lot of people.
So that's a real problem here.
And I think we need to get at the issue, which is CrowdStrike as a security provider.
What CrowdStrike ultimately sells, yes, it's software.
But what CrowdStrike sells, ultimately, Dylan, is trust.
You can trust us to watch out in the environment for all the things that could harm your systems,
harm your network, harm your devices.
Trust us to do that.
We are going to live at the root of your machines.
In other words, in this case, the reason that CrowdStrike was so devastating is that
it ties into, with the machines that were affected, the Windows current.
In other words, the very root of the machine.
So it gets access to the deepest parts of the machine.
So when things go wrong, they go wrong with the, not just with the isolated part of the
Crowdstrike software.
And you just have to restart that software.
You have to restart the whole machine because it's tied into the kernel.
It's tied into the root.
So it's like as if you, you know, sure, you chop off a branch on a tree that I'm
I'm sure the tree is not going to like that very much.
But it doesn't kill the tree.
But if you are getting it at the roots, if you are injecting, you know, like pesticides into the root, yeah, that's a problem.
And that's kind of the analogy here.
Given the scale of this issue and how public it was for a company that tends to operate in the background and deliver something that most users, consumers aren't even a way.
is happening. What did you think of how CrowdStrike and CEO George Kurtz handled this?
I think it was okay. I don't think it was exceptional. I think he has much more work to do.
The one thing you cannot do in a situation like this is minimize. I don't think he was trying
to minimize, but what he said was essentially that, hey, we responded to this really quickly.
you know what, 80 minutes worth of response, which is roughly where they were.
I mean, technically, yeah, that's reasonably fast.
But for people that are still dealing with this or we're dealing with it, like the airlines
have still not caught up.
So, you know, tell them you dealt with it fast.
He did apologize.
He did put it out on, you know, on the Crowdstrike website, which is good.
but I think we're only starting to see what Crown Strike needs to do to make this right.
I will argue that CrowdStrike, the initial response was, okay, I'm neither going to ding them too harshly,
nor give them too much credit, because I think we have only started to see what CrowdStrike has to do to heal some of these relationships.
How many are going to do what Elon Musk did, which is, and this may be typical Musk bluster,
or it may be real.
I'm going to take him at his word.
He said, we just uninstalled it everywhere.
We just got rid of it.
And how many other companies are going to do that?
I don't know, Dylan, but that is going to be an account by account process.
And that is, that's real.
That's going to be something that we're going to have to watch.
I want to have you help me figure out where exactly we should be on the reaction meter for this.
Because I know you're someone who's followed the company for a while.
There are a lot of listeners who own the stock and have been following the business for a while.
We see things like this blow up with companies sometimes, and it winds up being something that several months from now,
the world has largely forgotten or moved on from aside from the people that are really in that industry.
We also see some of these things manifest into really thesis-altering or long-term reputational risk issues for a business.
Where do you see it on that spectrum, Tim?
I think there's a little bit of both.
I mean, I feel bad because I want to tell you that this is a rich buying opportunity for CrowdStrike.
I think it's too early to say that, Dylan.
I think we are...
So the overreaction here is that...
this is the end of CrowdStrike. I don't think that's true. I think these sorts of mistakes do happen.
And the best thing you can do in a situation like this is do your best to repair it.
And then you go over and you go above and beyond what the customer expects to try to repair this and regain trust.
CrowdStrike can do that. So I think it's worth it to give them some time to do that.
On the other hand, I am not going to pretend that this is small and it's the same as, you know, just your average hack.
I don't think that's right.
What has been, what was revealed here is that CrowdStrike has a very special place inside of devices, where if you compromise CrowdStrike, you may be compromising things that are much bigger and much deep.
and fundamental to your business. So it raises a big question, do I trust CrowdStrike with that
much access? And if not, then that will have a material impact on the business, Dylan. That's the
thing that I think is fundamental here. So like in the case of, for example, where this is
fundamentally different, fundamentally different from what we recently saw at Snowflake,
right? Snowflake has had some recent attacks where things were breaches. This was not a breach. This was a mistake,
but the net effect is there's some things that just have not gone right. In this case, a lot of systems
went down. In the case of Snowflake, they did not teach their customers early on or enforce
multi-factor authentication. In other words, making your system a little bit more secure. So some bad people
got in and took information that was valuable.
They didn't do enough to protect themselves,
and Snowflake didn't do enough to protect those customers.
Now, is that a fundamental flaw?
And does that speak to how fundamental Snowflake is and should you trust them?
I don't think those same questions are being asked about Snowflake as they are about Crowdstrike.
So, I'm not willing to give up on CrowdStrike here, but I think you need to be honest and say, this is going to raise questions.
The market certainly raising some questions with shares of CrowdStrike.
I think they're down over 20 percent since the incident was reported.
I think about 15 percent on Friday, and then down, I think, again, double digits.
Today, granted, the company had been at all-time highs prior to that.
So, knowing or taking your last answer there and into consideration, what would you want to see from CrowdStrike over the next couple months, quarters, to feel like this is a buying opportunity?
And this is a business that took a hit, but is still worth having money in.
Well, I mean, this is a company that is capable of generating quite a lot of cash and has had a pretty solid balance sheet.
So if that's true, if CrowdStrike does have a decent balance sheet and it does have the ability to generate a fair amount of cash flow, all right, let's see it.
How are you going to use that?
Right now, I show on the balance sheet today, I'm just looking at the current assets.
They have, what, $3.5 billion in cash and equivalence?
How about taking 10% of that right now and saying, we're setting up a fund to support any remediation that has financial consequences for our customers because we care about making this right?
Now, will the lawyers tell them to do that? No, they will not because once you do that and you start telling lawyers that there's money to be had, they'll go chasing it.
But from the goodwill that you are trying to generate, I think that's a thing that I would like to see.
It doesn't have to be that specifically, but some way to demonstrate that you're being proactive to set up some additional thing that didn't exist before where you recognize the damage that has been done.
And you're going to do something about it at no cost to the customer to try to make this better.
I think another thing I'd like to see is are there options?
that CrowdStrike could pursue to work with Windows machines differently than they do right now
that might create a level of confidence that, yes, I can install CrowdStrike in my Windows environment
and be okay, that, you know, I'm not going to be subject to the same level of potential problem
if something like this happens again.
So, for example, I don't know this is true to the same degree that I think it might be true,
But, you know, one of the reasons the Apple machines, I think this is true here,
the Apple machines were not affected, is that Apple does not give you root access.
Apple doesn't give you root access to its devices.
And Windows does.
Now, what Microsoft has said in its own statement is that they are required to give root level
access to some third-party providers as a consequence of their dealings with the EU.
So take that for what you will.
But that doesn't prevent CrowdStrike from saying, hey, you know what?
We can make a better version of the Windows software that we have, the Windows version of Falcon.
And maybe we don't need to do root access.
Maybe we can do this in a better way that makes customers feel safer, more confident.
But things like that, Dylan, where we recognized this was a problem that had serious consequences for our customers.
Here's what we're doing about it.
And number two, hey, we are evaluating how we execute our software in a Windows environment
to make this better, safer, more performant.
We have new QA process, quality and assurance processes that we are instituting.
All of these things can help a customer say like, okay, I get that you take this seriously.
From your lips to crowdstrike management ears,
I hope it happens, Tim. Thank you for joining me today. Thanks, Dylan.
Coming up, what's an insurance company supposed to do in a state that has the most exposure
to natural catastrophes? Brian Haney is the president and CEO of Kinsale Capital, a specialty insurance
company. Haney joined Bill Mann on stage at Fool Fest 2024 last week. We're going to play
some cuts of that conversation about how retail investors can judge financial companies and the
trouble insurance providers have in Florida.
One of the most common objections that we have from our investment,
investors is that they don't really understand financial companies, that it's a different type
of investing. And insurance firms, I definitely are part of the financial industry. So, I'm
not sure of what the proper way to describe. It's not so much that it's not understandable, but
I think it's difficult for investors to figure out what characteristics make for a really good
financial company as compared to an unsuccessful one.
Would you all agree that maybe that's true?
Right?
Like, understanding a bank, you know,
here's your money, I get my money back.
That's not hard.
It's like what makes a good bank,
what makes a good insurance company.
So since from that clip,
you were a $900 million market cap company,
and now you're a $9 billion market cap company.
I figure you may know something about what it takes
to be a good financial company
or a good insurance company.
And so what I thought I'd do is just give a basic definition of insurance, which you can disagree with.
It's fine.
And then we can work our way up and we can talk about what makes for a good insurance company.
So the definition that I wrote down is that insurance is one party that is unable or unwilling to bear the loss of an event in trusting that risk to the balance sheet of another party for a fee.
That's fair.
Yeah.
Sound about good?
Yeah.
So another way to look at it.
if we want to get mathing, would be, you think about the outcome of your house,
let's say you have a house in Florida, which I'm guessing at least one person here does.
The outcome of your house in Florida is kind of binary, for the most part.
It's like it's either there at the end of the season or it's not.
That's a pretty wide distribution, and the not part of that distribution is a very bad outcome
that you would rather not have to deal with.
But when you take a bunch of those independent, random, very much.
variables and add them altogether through the process called the law of large numbers, you start to get a very predictable curve.
And so the insurance company is basically pooling all the risks to get a more predictable outcome and then
distributing the cost to everybody else. It also serves a very valuable purpose, which is a price signal.
So the risk that you take by owning a house in Florida or by owning a house in wildfire exposed parts of California,
in a properly functioning economy and market, you would bear the cost of that, and that's,
insurance helps you do that. The less exposed houses in Florida pay less than the more exposed,
right? So it serves a valuable social function. If you want to think of it this way, this is another way,
and it's kind of a socially valuable form of gambling. And so the way the gamble kind of works is this.
you are going to gamble your premium, and we are going to gamble our surplus.
And so you put your premium in the middle of the pot, and we put our surplus in the pot,
and then we roll the dice and see what happens.
Now, it's a hedge, so it really isn't speculation.
But effectively, if you're the insurance company, you make money if you took in more premium
than you paid out in losses and expenses.
But there's a thing, and then Warren Buffett likes to talk about.
this called the float, which is the payout when we lose to you actually takes place over a number of years.
And so we invest money while that process is unfolding. So we get the underwriting profit or loss,
and we also get the investing on the float. Basically, if I can restate, you're taking somebody else's
potential catastrophe and you're turning it into your ordinary course of business by virtue of
you're having a balance sheet that's big enough to withstand their loss, the loss of a house.
Yes, that's very fair.
Yeah.
Let's talk about that balance sheet a little bit because it is the core of what a pooled product like an insurance, you know, an insurance scheme is.
Is there anything differentiating between Kinsales balance sheet?
and other insurance companies balance sheets.
I would say yes.
I'm going to have to back up and explain at a high level
what a property casualty company like ours balance sheet looks like.
It's actually really simple.
On the asset side, you have cash and invested assets.
Because of certain regulatory requirements,
most insurance companies have most of their assets in fixed income.
And then some percentage would be in equities.
But that's basically you're limited to,
a pretty vanilla portfolio. So, cash and invested assets. And then on the liability side, you have
the reserves, which is the losses that you've incurred that you're going to have to pay out,
but you haven't paid out yet. That's really it. And so there's not much differentiating. We own
we own bonds and stocks, and we have our own strategy, and Markell has their own strategy,
and every company has their own strategy. There's not that much differentiation. We look at the
yields, portfolio yields are not that much different. There is significant variability in the
believability of that loss reserve number because that loss reserve number is an estimate.
You don't know that number. So some companies are very good at putting a number up that is
more likely to turn into a lower number than turn into a higher number. So that's a process called
reserve development. If your lost reserves come down over time, that's favorable development,
which means you're showing income, you've basically delayed income, delayed gratification.
And the opposite of that is adverse development where you have to admit past sins.
So you, hey, remember all that money we said we made last year?
Well, we made a little less, and we had to true it up.
So I would say, if you're an investor, like the one thing I would pay attention to in your shoes would be,
does the management team have a track record of having believable reserves that have the tendency to
are to develop downward every time.
So you would prefer to see, I mean, I guess logically, this makes that you would much rather
see a beneficial adjustment than an adverse one.
Yes, because the costs to us.
See, it's not that hard?
Bad things are bad, Brian.
Thank you very much.
Well, it's like, we all have this, like, loss-aversion bias going on where, like, bad
things happening, you view worse than good things you view well. And so if you're a company
and you have adverse development, a bunch of bad things happen, one is investors start to not
believe you. And so your stock price will plummet. Regulators start to scrutinize you a little bit
more because they start not believing your numbers. And then you actually get hit in the capital
formulation. So your actual historical reserve development forms part of your, you know,
your capital charge. So if you have a track record of adverse development, you are going to have
to have more money because they just don't believe your numbers. One thing that I know that a lot of
people are very sensitive to throughout the insurance industry is exactly what you're talking about,
the cost element. So when you see a state like Florida that has spiraling home insurance
costs and insurers pulling out of the state at the same time,
What part of the incentive structure or the structure of the state itself is broken?
There's a few answers.
Let me start by saying Florida hurricane exposure is by far the world's largest exposure to natural catastrophe.
So if you look at like five of the 10 costliest insured events in human history were in the last.
seven years in Florida. And I think two of the other ones were hurricanes that were Atlantic Basin.
So seven of the top ten, worst financial, natural catastrophes.
So that's real. It's real.
Structurally, there was a lot of, this actually goes back to when the Fed was printing money
for that long stretch of time after the Great Recession. It forced people looking for yield,
asset managers looking for yield, to go into alternative exotic investments, and they latched on to
alternative reinsurance and insurance investments. So insurance-linked securities, catastrophe bonds.
I want to put a definition. So reinsurance. Reinsurance is insurance of an insurance company.
So the insurers go get reinsurance. So the level that they pay out starts, you know,
say, $250 million or whatever. Yeah. And so a reinsurer effectively operates as an insurance.
so it's the exact same process, but there's alternative vehicles through which you can achieve the same thing as reinsurance,
and one is catastrophe bonds, which is just effectively a bet in the form of a bond that a hurricane won't happen.
So if a bad hurricane happens, you lose all your money.
If it doesn't, you gain your yield, you know, a risk margin plus a risk for yield.
Oh, anyway.
So the particular money led to...
asset managers getting into the insurance space indirectly, it drove down everybody's prices.
So, if you have a house in Florida, what it was probably not obvious to you was you were never paying an actuarially fair amount because there were these hidden subsidies everywhere.
Now, that spicket has stopped or largely stopped.
So you don't have that.
Then you had the pandemic and the inflation spike, and so you had a massive run up.
And I mean, it was really massive run-up in costs.
And then now you have regulators doing what regulators usually do, which is try to lower costs by just mandating lower cost.
And it always operates, it's economics 101.
It functions exactly the way it should.
Regulator comes in and says, you can't charge more than this.
And then everybody else creates scarcity by pulling back or out.
In Florida itself, I mean, does it have to do with the fact that there's no
real way to lay off your risk within Florida, with so much of the value of the land being within
five miles of a coastline? I don't think it's that necessarily so much as if you are the peak area
for world catastrophe, there's no... Congratulations, I guess. This is your reward. If you write
catastrophe anywhere else, if you write Japan quake or you write European flood, you can diversify away,
and that tends to work because there is enough of the other stuff.
So you can always diversify to Florida Wind.
If you're writing Florida Wind, it's like its capacity is this
and the next are all so far below it,
that it's like just for putting up that capacity,
you're going to get kind of what's called a peak charge
where it's like the capital providers don't have to provide capital
to reinsurance or insurance in your state.
and they're going to charge you for it.
So I think really what it is is Florida is a large state that's right in,
the whole state is catastrophe.
It looks like a runway.
And there's just a lot of economic values there.
So like that property market is gigantic and so.
By the way, I want to make sure that anybody who is from Florida,
we're not laughing at Florida.
It's just, you know, it is such a, it's such a unique situation.
and, you know, but you're right, there's so much value to ensure there.
Yeah, and I feel, well, I feel bad for people to have property in Florida for this reason.
You probably bought the property assuming your carrying costs were X,
but your carrying costs were subsidized, and then all of a sudden the subsidy goes away.
And you had inflation, and now a sudden the carrying costs are three times,
and you're like, well, you still own the house.
Listeners, if you're a U.S. Motley Fool Premium member,
you can access all FoolFest content at FoolFest.
We'll put a link in the show notes so you can find it there as well.
While we were on site at Fool Fest in DC last week, we caught up with Motley Fool members
about why they love investing and why they love the Fool.
Here's Jason, a longtime member on why he's a fan.
Well, it's given me financial freedom and optionality in life.
It has made me a better business person in my career and a better investor along the way.
It's allowed me to learn.
And I think with the Motley Fool, it's allowed me to meet some of the finest people I've ever had the pleasure of meeting.
And listeners, we're always looking for fun ways to get your voices on the show.
You can shoot us an email with a voice recording at Podcasts at Fool.com.
That's Podcasts with an S at Fool.com.
Or you can call our hotline, 703-254-1445.
That's 703-254-14-5.
And leave us a voicemail.
You might wind up on the show.
As always, people on the program may own stocks mentioned, and The Motley Fool may have formal
recommendations for or against.
So, don't buy or sell anything based solely on what you hear.
I'm Dylan Lewis.
Thank you for listening.
We'll be back tomorrow.