Litigation,
Standards, Regulations & Compliance
Court Dismisses Misstatement Claims in Class-Action Securities Suit Following CrowdStrike Outage
A federal judge has dismissed a securities fraud lawsuit against CrowdStrike, alleging that the company misrepresented the safety and compliance of its products. The ruling comes after the company faced scrutiny related to a global IT outage in July 2024.
In a decision rendered by U.S. District Judge Robert Pitman in the Western District of Texas, most statements made by CrowdStrike were deemed non-actionable puffery or not materially misleading in context. Although Judge Pitman noted that two statements regarding federal compliance could be interpreted as misleading, the court found insufficient evidence of intent or reckless disregard for accuracy.
Judge Pitman stated, “Allegations that ‘defendants were motivated to commit fraud by the need to raise capital, the desire for enhanced incentive compensation and the desire to sell stock at inflated prices’ are, without more, insufficient to support an inference of scienter,” as outlined in his detailed 49-page order.
The class-action lawsuit, spearheaded by New York Comptroller Thomas DiNapoli, accused CrowdStrike of lacking an adequate quality assurance team, failing to conduct phased rollouts, and neglecting to test updates in preproduction environments. In a previous ruling, Judge Pitman had determined that a separate lawsuit brought by airline passengers regarding disruptions caused by the CrowdStrike outage was preempted by the Airline Deregulation Act.
Assessing Mismanagement vs. Intent
Despite evidence suggesting operational mismanagement at CrowdStrike following the outage, Judge Pitman concluded that this did not provide concrete proof that executives intentionally misled investors. The stronger inference presented was that CrowdStrike’s executives believed their rapid-update strategy operated outside traditional testing protocols rather than attempting to deceive stakeholders.
The plaintiffs argued that CrowdStrike assured investors of adherence to high-quality software development methodologies, including Continuous Integration and Continuous Deployment (CI/CD), claiming software updates were rigorously tested prior to deployment. However, post-outage revelations indicated a lack of pre-production testing and a missing independent QA team.
In reference to CrowdStrike’s disclosures, Judge Pitman commented, “When read in context, no reasonable investor would have assumed purely from a single sentence in the Accessibility section of CrowdStrike’s 2023 and 2024 Proxy Statements that CrowdStrike maintained a quality assurance team that tested software updates.”
Potential Misstatements on Compliance Standards
Following the incident, the plaintiffs highlighted that CrowdStrike’s own Preliminary Post-Incident Review acknowledged that the issues could have been identified had proper testing protocols been followed. In further public disclosures, President Michael Sentonas accepted significant acknowledgment of failure at a prominent cybersecurity conference, indicating a departure from previously asserted standards.
Judge Pitman noted that while the claims regarding CrowdStrike’s FedRAMP compliance could be material misstatements, the plaintiffs failed to demonstrate intent. He pointed out the lack of specific allegations against individual executives regarding their knowledge or recklessness related to the compliance certifications, underscoring the legal complexities surrounding the case.
