Companies impacted by CrowdStrike’s defective software update should consider the following long-term reporting implications:
- Risk Factors and Forward-Looking Statements. Impacted companies should consider updating their risk factors about systems downtime and/or reliance on third parties to operate critical business systems. Remember to update relevant hypothetical and forward-looking language about outages or systems downtime to indicate that such risks have already occurred. For example, language that system outages “may” occur when the company has already experienced outages and downtime due to the CrowdStrike update. In addition, software and technology companies that similarly update systems, including automated updates, should ensure their risk factors cover risks associated with errant updates, and that their boards have oversight visibility on how those risks are mitigated where it may be deemed mission critical to the company.
- Management’s Discussion and Analysis. Impacted companies should consider discussing any material impacts (if any) in the management’s discussion and analysis section of the company’s next Form 10-Q.
- Internal Controls and Disclosure Controls. Impacted companies should evaluate their response to the CrowdStrike update and related outages to identify any risks or gaps in their policies and practices, including internal controls and disclosure controls and procedures, and address any deficiencies.
This article is part of Fenwick's monthly "Securities Law Update" that was authored by David A. Bell, Ran Ben-Tzur, Amanda Rose, and Merritt Steele.