CrowdStrike outage puts its financial reporting under scrutiny, too

Crowdstrike, a cybersecurity firm, inadvertently caused the global Microsoft outage (Representative Photo) (HT_PRINT)
Crowdstrike, a cybersecurity firm, inadvertently caused the global Microsoft outage (Representative Photo) (HT_PRINT)

Summary

CrowdStrike’s preferred revenue measure looks especially dubious following its global mishap.

CrowdStrike’s disastrous software update ought to put its financial reporting, not just its product issues, under an unwelcome spotlight.

Take, for instance, a self-defined measure that the cybersecurity giant calls “annual recurring revenue," or ARR. This isn’t revenue using that term’s standard definition under accounting rules, but it is among CrowdStrike’s most prominent headline numbers and one on which management has trained investors and securities analysts to place great emphasis. It also looks uniquely suspect following the global outage that CrowdStrike caused.

ARR is a nonstandard accounting term used by a lot of software-as-a-service companies without a common definition for what it means. A simple example would be a customer with a $3 million, three-year contract. The ARR in year one for that customer would be $1 million.

Some cybersecurity companies say they use ARR to help determine executive pay, but don’t show a number for it in their regular financial reports. Some companies say the “A" in ARR stands for “annualized" instead of “annual." Others, including CrowdStrike, say the “A" stands for “annual" but then define it as “annualized." What is more, some count only contracts still in place in their ARR, while others in certain circumstances may include some contracts that have expired.

CrowdStrike says its ARR is the “annualized value of CrowdStrike’s customer subscription contracts as of the measurement date, assuming any contract that expires during the next 12 months is renewed on its existing terms." That assumption may be a stretch, considering that CrowdStrike’s botched software update just caused a global computer outage, likely prompting many to rethink their existing contracts.

Like its cybersecurity competitors, CrowdStrike doesn’t show its math for calculating ARR, or provide any reconciliation to any number prepared using generally accepted accounting principles. At the end of the fiscal year ended Jan. 31, ARR was $3.44 billion, while actual annual revenue was $3.06 billion.

Another curious feature of ARR: If a customer’s subscription expires and the two sides are negotiating a renewal, CrowdStrike says it will still count revenue from it in ARR if the company “is actively in discussion with such an organization for a new subscription or renewal, or until such organization notifies CrowdStrike that it is not renewing its subscription." So in that scenario it doesn’t need an actual deal to book ARR; talks will suffice.

Whatever its utility as a performance measure, ARR has been good to CrowdStrike’s top executives. It is the primary metric used to set their cash bonuses, according to the company’s proxy statement. Those are small compared with the largest portion of their pay by far—stock awards—which are determined using CrowdStrike’s one-year growth in actual revenue, as well as a self-defined profitability metric.

For the latest fiscal year, CrowdStrike’s chief executive and co-founder, George Kurtz, was paid a $1.2 million cash bonus, and $44.1 million in stock awards. By comparison, CrowdStrike’s net income was $89.3 million—its first annual profit since going public five years ago. For fiscal 2022, he received stock awards valued at $146.1 million, while the company’s net loss was $234.8 million.

The nonstandard profitability metric used for determining these stock awards also looks questionable, especially after the global outage. Like many companies, CrowdStrike excludes the cost of stock-based pay. It also excludes the cost of litigation settlements, which is fortunate for the executives, because the global outage means there will be more of those if class-action lawyers have any say.

With a stock-market value of $65 billion, CrowdStrike is valued on hopes of future growth, not current profits. It is possible that memories of useless blue screens and ruined weekends will soon fade. (By contrast, if the outage had been caused by a hack of CrowdStrike’s systems, that would be an existential risk to its business model.)

But the current risk to CrowdStrike’s future business should remind shareholders of the pitfalls of using alternative metrics like ARR. A revenue measurement that counts customer dollars prematurely isn’t worth the trouble.

Write to Jonathan Weil at jonathan.weil@wsj.com

 

Catch all the Technology News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.
more

topics

MINT SPECIALS