It has been a year since the widespread CrowdStrike outage sent ripples across global IT infrastructure and business operations.

The incident, caused by a faulty update to CrowdStrike's Falcon 9 product, highlighted critical vulnerabilities in interconnected digital ecosystems and raised questions about resilience, responsibility, and risk management in an increasingly cloud-dependent world.

The outage affected an estimated 8.5 million Windows devices globally, representing approximately 1% of the worldwide Windows estate. The financial impact has been projected to be between $10 billion and $12.5 billion, with airlines, banks, retailers, and government services significantly disrupted.

Delta Airlines alone experienced a five-day impact, leading to the cancellation of 7,000 flights and 1.3 million passengers impacted, who incurred an estimated cost of $550 million.

The immediate propagation of the issue across Microsoft’s Azure public cloud and M365 online productivity platform (and later other cloud environments and self-hosted systems) underscores the profound interconnectedness of modern IT.

Microsoft, despite not being the cause of the initial error, facilitated its rapid global spread due to its US-centric and interconnected platform architecture, which allows for and relies on the rapid global propagation of configuration and identity changes.

The underlying nature of their Windows operating system, to which they provided Ring 0 equivalent kernel access to CrowdStrike making the issue possible in the first instance, was also a contributing factor.

Accountability and limited liability One of the most striking takeaways from the CrowdStrike incident is the apparent lack of significant financial or reputational repercussions for the cloud providers themselves. Microsoft’s stock price experienced only a 1% blip on the day of the outage, mirroring the percentage of impacted Windows devices. CrowdStrike's share price initially dipped by 11% on the day of the outage, and a total of 36% within two weeks. However, a year later, its shares are trading 65% higher than on the day of the outage. Their Annual Recurring Revenue (ARR) growth, while slightly lower in the quarter immediately following the incident ($158 million versus $218 million in the prior quarter), still showed a 34% year-on-year increase by the end of the year. This swift recovery for the providers can be partly attributed to the protective clauses embedded in their terms of service. CrowdStrike’s terms, for instance, explicitly state that their software should not be used for “high value processing” where a failure could lead to risk to life, safety, environmental damage, or significant financial losses. Furthermore, the company’s liability for losses is typically capped at the cost of the service purchased in that financial year. These clauses, which are not unique to CrowdStrike and are mirrored in Microsoft’s terms of service, effectively limit the financial recourse for customers experiencing significant losses. This highlights a critical, yet often overlooked, aspect of cloud service adoption: the transfer of operational risk largely falls upon the customer.