After being the cause of one of the biggest computer outages in recent years which also impacted airline companies worldwide, CrowdStrike Holdings’ (NASDAQ:NASDAQ:CRWD) has dropped abruptly as charted below, and was trading around $240 at the time of writing. However, the stock is still up by more than 80% after my March 2023 thesis when I had emphasized its pioneering status in endpoint security delivered through the cloud but had a hold position due to economic uncertainty.
Uncertainty is back as seen by the volatility engulfing the tech-heavy Invesco QQQ Trust ETF (QQQ) for the past five weeks, but this time I am bullish as this stock has been punished too hard while its ability to generate FCF seems to be ignored by market participants. For this purpose, this thesis aims to differentiate between the cybersecurity product itself which remains strong, and the security update process which was to blame for the incident, without forgetting to highlight Microsoft’s (NASDAQ:MSFT) Windows “perceived vulnerability”.
I start by valuing the potential damages CrowdStrike’s Falcon security software update caused to about 8.5 million devices running on Windows worldwide.
Getting a Realistic Sense of Damages By Also Highlighting Microsoft’s Role
First, so many companies around the globe being impacted indirectly showcases the popularity of CrowdStrike’s Falcon as a trusted tool to safeguard thousands of organization’s data and help them adhere to the strictest security and regulatory mandates. This aspect of Falcon’s reputation remains untainted as the problem was not caused by a successful cyberattack as I detail later.
Still, for many of those impacted, it added millions of dollars of consultancy man-hours to their corporate IT budgets to make sure their applications were back online and total damages could amount to around $1 billion according to the Anderson Economic Group which specializes in estimating the economic cost of such business disruptions.
However, on balance, software companies normally tend to insert legal protection terms, like restraining the liability to the contract value or putting clauses like for example customers being responsible for testing software updates before these are installed on live systems. To this end, in response to a litigation threat by Delta Airlines (DAL) which was impacted, CrowdStrike’s external lawyer Michael Carlinsky mentioned that liability is capped at an amount in the single-digit millions.
This does not appear much, and, equally important, the airline plans to seek damages both from CrowdStrike and Microsoft which points to blame sharing.
In this case, while CrowdStrike is certainly to blame for the security updating process, I believe one cannot exonerate Microsoft from all responsibility because it could have ensured that these updates were validated as part of its business continuity plan to ensure the resiliency of its Windows OS (operating system). In this connection, a somewhat similar issue occurred some 14 years earlier when a faulty security update from cybersecurity company McAfee misidentified one of the Windows critical system files as a virus, leading to users again facing the infamous Blue Screen of Death (BSOD).
Along the same lines, the software giant was the cause of past cybersecurity incidents leading to the Cyber Safety Review Board questioning its security culture and urging action. In this regard, analysts at Citi Group have raised questions about Windows’ “perceived vulnerability”.
Identifying A Target Price Based on Suffering $1 Billion of Damages and Using a DCF Model
Thus, it is unlikely for CrowdStrike to be crippled by a mountain of damage claims, but, it is important to assess the potential impact on the free cash flow. To this end, analysts have revised the consensus revenue growth estimates for FY-25 to FY-20 slightly lower as shown below with the topline for FY-28 downgraded by the highest percentage. This could be explained by SaaS contracts normally lasting for a 3-5 year period, or with a mid-point of 4, which lands in 2028 (2024 +4).
Thus, I assume that the company will suffer the maximum impact in FY-2028 as shown in the DCF model below when the $1 billion in damages reduces its future FCF to $750 million. Here, I assume that the targeted growth rate is 15% or half the average for the last two fiscal years, or FY-2023 and FY-2024. This is because the company may no longer enjoy the same level of demand as before increasing the likelihood of facing reduced pricing power and diminishing the cash flow generation.
For this matter, its consensus EPS estimates have been downgraded more than the topline by analysts which tends to hint at an ability to drive growth but, at the expense of profitability, possibly the result of providing discounts to attain sales objectives upon expiry of current SaaS contracts.
Furthermore, I chose 7.39% for the perpetual growth rate which is the pace of expansion of the U.S. cybersecurity market from 2024 to 2029, and 8.35% for the discount rate, to finally obtain a DCF price per share of $353.16, or a 47% upside.
To justify this bullish position, the revenue growth projections have not been slashed by analysts and these are still in the double digits, hinting the company is more likely to suffer from slight revenue shortfalls than an erosion of its market share.
Outage-Causing Security Update Process But the Falcon Product Remains Strong
Furthermore, the cause of the outage was someone in the company not having properly tested the Falcon sensor-related security update before massively deploying to Windows servers as per a preliminary post-incident review as shown below.
However, to CrowdStrike’s credit, it not only identified and communicated the issue quickly but also brought remediation measures swiftly. Moreover, while the company is responsible for the mess, its product itself was not hacked. Also, in response to Delta’s litigation threat, CrowdStrike replied it had offered assistance in the immediate aftermath of the incident but got no response.
Continuing on a positive note, when a client has remained subscribed to a cybersecurity provider for years and its IT security policy is built around its products, switching costs are high, especially with a supplier that is not going out of business anytime soon and did not deny responsibility. Hence, its CEO promptly acknowledged the fault and his company is financially solid with $3.7 billion of cash versus $793 million of debt and its FCF margins exceed the IT median by a hefty 250% as shown below.
Looking across the industry, Falcon has a high degree of product differentiation especially since it is built on a lightweight architecture whereby the agent (Falcon sensor) does not consume much server storage and can deliver protection against a wide variety of endpoint threats. Thus, it has been named as a leader for endpoint protection for the fourth consecutive year in November 2023 as pictured below.
CrowdStrike: We Stop Breaches with AI-native Cybersecurity
Also, CrowdStrike’s Falcon sensor is closely integrated with other cybersecurity companies that have expertise in other fields, like Zscaler’s (ZS) Zero Trust capabilities. This means that clients envisaging to cancel their CrowdStrike subscriptions may have to reconsider their entire IT security strategy.
Additionally, the Falcon platform is authorized under the Federal Risk and Authorization Management Program (FedRAMP) specifically covering products that are distributed through the cloud, and to be included, stringent criteria need to be adhered to. Moreover, being FedRAMP-certified confers Falcon an advantage over competitors when bidding for government contracts not only in the United States but internationally.
Further Volatility Risks Remain but this Remains a Growth Stock
In conclusion, with a sticky product, and, after years of receiving protection against the most potent hackers, customers are not likely to instinctively switch to the competition because of one glitch in Falcon’s over six years of history, and also considering the value CrowdStrike brings to enterprises’ cybersecurity systems.
Still, the company will have to bear costs related to preventive actions in its internal processes including validation checks as to the way errors are handled with the help of a third party to ensure the implementation of additional compliance standards. To obtain an idea of the expenses, SolarWinds which was subject to a supply chain cyberattack in March 2020 spent $18 million in the first three months of 2021 alone including professional fees by independent consultants.
Furthermore, the company may not command the same market clout when signing new deals. Also, customers are more likely to closely monitor what is being updated on their IT systems compared to blindly trusting CrowdStrike as before, and ask for more quality assurance before committing to multi-year contracts. This means that it may have to disburse more money to set up a team to communicate more frequently with customers on updates and the type of testing done beforehand.
There may also be further downside risks in case news about other litigation threats hits the market without forgetting potential volatility when the CEO testifies in front of Congress, all depending on how the market digests the news about lawmakers delving deeper into the mishap and safeguard measures. Also, it remains richly valued with a valuation grade of “F” meaning that the stock can drop further. Therefore, more risk-averse investors may seek more clarity during the forthcoming earnings call around August 28 before investing.
This is the reason why the company does not deserve to be valued at its pre-outage peak of $377, and a $343 target seems more reasonable.
On the other hand, as I mentioned earlier, the incident does not raise doubt about Falcon’s ability to provide threat protection, and the $1 billion of potential loss due to damage litigations used to value the company constitutes a worst-case scenario as it does not consider the possibility of blame sharing with Microsoft.
To this end, another estimate by Wedbush Securities says less than 5% of its customers are likely to switch, which would translate into a $150 million impact based on the $3 billion of sales for fiscal year 2024 (FY-24). This would reduce the forward revenue growth of 30.6% to 25.6%, still maintaining CrowdStrike well above the IT sector median as pictured below.
Finally, despite the much-publicized case of Elon Musk deleting the Falcon sensor from his corporate IT systems, CrowdStrike is unlikely to suffer from any lasting impact as it enjoys strong momentum in sales, EBITDA, and free cash flow as shown above.
Editor’s Note: This article was submitted as part of Seeking Alpha’s Best Growth Idea investment competition, which runs through August 9. With cash prizes, this competition — open to all analysts — is one you don’t want to miss. If you are interested in becoming an analyst and taking part in the competition, click here to find out more and submit your article today!
Read the full article here