Corporate News

IT Meltdown Triggers Corporate Reporting Requirements: Explained

Friday’s “blue screen of death” software meltdown grounded flights, upended trading, and disrupted corporate offices after a faulty update crashed Microsoft Windows computer systems worldwide.

The IT failure also puts pressure on the two companies at the center of the chaos—Microsoft Corp. and cybersecurity company CrowdStrike Inc.—to disclose details to investors and Wall Street regulators.

Both companies will be expected to share via securities filings with the market both the immediate news of the mass outage and the subsequent estimated impact on their business operations and customers.

“I’ve got to believe there are rooms full of senior managers and lawyers trying to figure out how to communicate this,” said George Wilson, director of the Practising Law Institute’s program focused on securities regulation.

What reporting obligations does a company have?

Public companies are required to alert the market when there’s a “material” event that affects their business, issuing a special form 8-K, also known as a current report, that becomes part of their permanent securities filings history. Those filings are due within four business days, with certain exceptions.

The Securities and Exchange Commission requires companies to issue specific types of 8-Ks covering more than two dozen scenarios, from a departing top executive, to a new earnings release, to the appointment of a new auditor. In 2023, the SEC added another requirement: separate 8-Ks to reveal cyber attacks.

Friday’s global outage doesn’t appear to be a cyber breach. CrowdStrike’s Chief Executive Officer George Kurtz said in an early-morning post on X that the problem stemmed from a defect in a single content update for Windows hosts. “Today was not a security or cyber incident,” the CEO posted later in the day.

As of Friday afternoon, neither Microsoft nor CrowdStrike had issued 8-Ks about the global IT crash. The companies didn’t immediately respond to requests for comment.

So what kind of 8-K would it be?

In addition to the more than two dozen specific events that trigger an 8-K, there’s the catch-all category of “other events.” Companies use this filing to alert the market about information they think is important to convey. That’s where judgment kicks in. What, exactly, is considered “important” to investors.

Companies generally lean on the concept of materiality, the idea of sharing relevant decision-making information, to decide when to issue such forms, Wilson said.

“It’s pretty hard to argue this is not a material event when it shows up on CNBC and millions and millions of people are affected,” he said.

What kinds of details would a company report?

Two types of disclosures kick in: one set to address a company’s role in the outage and another about the impact the outage had on its business, as well as its customers. The SEC will want details, said Bruce Pounder, founder of GAAP Lab, an accounting advisory firm.

“You can’t simply say, ‘Hey, one of my major systems failed and it affected our customers in a way that may affect our business,’” Pounder said. “There would be a pretty strong expectation from the SEC to provide a fulsome disclosure.”

Both companies will likely tread carefully, at least in the near term, however, said James Cox, a Duke University law professor who specializes in corporate and securities law.

“Once you start talking about a subject it’s very hard to extricate yourself from saying too much that’s going to get you into trouble,” Cox said.

What about upcoming financial reports?

Microsoft closed its fiscal books on June 30 and is expected to release full-year results on July 30. CrowdStrike, which has a Jan. 31 fiscal year end, closes its second-quarter books on July 31. It hasn’t set an earnings release date, according to its website.

Although Microsoft’s books are closed, that doesn’t mean it’s pencils down for the company’s accountants and attorneys. Companies are required to include “subsequent events” if they are material, and they also can discuss events that happened after the balance sheet date within the Management’s Discussion & Analysis or the risk factors sections of their financial reports.

CrowdStrike hasn’t closed its books yet. And the crash is expected to have a bigger financial impact on the Austin-based firm, whose update triggered the meltdown hitting Microsoft Windows systems.

Its stock price fell Friday morning, settling at an 11% drop by market close, according to Bloomberg. CrowdStrike, which entered the S&P 500 index in June, is also smaller than Microsoft. Its market capitalization on Friday afternoon was about $74 billion versus Microsoft’s more than $3 trillion.

Microsoft is so big that it’s hard to imagine anything having a material impact when it happened in early hours and was fixed before lunch,” Wilson said.


Read More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button