CrowdStrike: Restatement Risk Now Elevated
Newly Disclosed SEC/DOJ Investigations Carry Real Danger
Click here for a printable PDF version of this report.
CrowdStrike Holdings, Inc. – CRWD
$ 476.98 US Mkt Cap: $ 116.7 B
Summary and Opinion:
Last week CrowdStrike first disclosed joint SEC/DOJ probes. We received an early signal of a possible SEC investigation on 17-Jan-2025, and alerted our subscribers shortly thereafter. In May, Bloomberg published a piece reporting the existence of SEC/DOJ probes, highlighting a $32 million Carahsoft transaction with the IRS as a key focus.
After reviewing the timeline and parsing the disclosures we believe this situation is likely to worsen before it improves. We conclude restatement risk is now significantly elevated.
From DI Research:
• DI’s Early Signal of SEC probe: 17-Jan-2025
• SEC probe confirmed as ongoing: 24-Apr-2025
• First disclosure of SEC probe: 04-Jun-2025
Excerpt From Transcript of CrowdStrike’s Earnings Call on 03-Jun-2025:
Matthew George Hedberg – Analyst, RBC Capital Markets
Congrats on the results. Not an easy environment for sure. George, I wanted to ask about U.S. Fed. I guess how has it been trending? Sort of what's baked into the guide? And if there's any comment that you could make on -- there was a Bloomberg article earlier in May, that would certainly be helpful.
Burt W. Podbere – CrowdStrike CFO
So I'll take the second part of your question, any comments with respect to Bloomberg. So for us, the company and how the -- and how Bloomberg reported what they reported, the company received request for information from the DOJ and the SEC relating to revenue recognition and reporting of ARR for certain transaction -- for certain transactions, the July 19 outage and related matters.
From the CrowdStrike 10-Q filed on 04-Jun-2025:
First disclosure in an SEC filing of SEC/DOJ exposure.
The Company has received requests for information from the U.S. Department of Justice and the U.S. Securities and Exchange Commission relating to the Company’s recognition of revenue and reporting of ARR for transactions with certain customers, the July 19 Incident and related matters. The Company is cooperating and providing information in response to these requests.
DI's Take:
The July 19th incident could be a distraction and, in our view, is a lesser concern here. Potential problems with revenue recognition are where we suggest you focus your attention.
According to CrowdStrike’s Root Cause Analysis, published in August 2024, the July 19th incident was a software update failure that caused a massive, unintended IT outage. Their greatest risk was at the time it occurred, along with potential litigation and reputational damage. Beyond that, we are not especially concerned about the SEC and DOJ involvement related to this incident nearly a year later.
Here are a few points from the new disclosure of SEC and DOJ investigative activity that should concern you:
Our work suggests CrowdStrike has known about an SEC investigation since at least January 2025, but waited until June to disclose it publicly. You should immediately ask: What changed? What developments prompted this delayed disclosure? In our experience, such changes often indicate the investigation is not going well.
Revenue recognition problems are the leading cause of restatements. DOJ and SEC “requests for information” related to revenue recognition was the first item the company disclosed. CrowdStrike did not include this disclosure lightly—they recognize that their revenue recognition practices now represent a material risk.
Both the SEC and DOJ are involved, which is unusual outside of Foreign Corrupt Practices Act cases. This dual involvement suggests potential criminal exposure, though the exact reasons remain unclear.
Internal controls risk: In that same 10-Q in which we first learned of SEC/DOJ problems, CrowdStrike did tell us internalt controls were effective, as of 30-Apr-2025. Management made a similar claim in the 10-K filed 10-Mar-2025, effective as of 15-Jan-2025. That surprised us and could change. An SEC investigation into revenue recognition significant enough to require disclosure almost certainly involves underlying internal control weaknesses.
Finally, a word on management intent. It appears CrowdStrike aimed to delay disclosure of the SEC/DOJ investigation until after the earnings call. The earnings release and prepared remarks made no mention of the investigation. The disclosure only came in response to an analyst question during the call.
We see this pattern of delayed disclosure too often now. It prevents analysts from asking informed questions during the call and signals a company seeking to limit transparency around material risks.
– John P. Gavin, CFA, NACD.DC
Our Terms of Service, relevant disclosures, and other legal notices can be found here.