When a software glitch crippled Delta Air Lines in July 2024, headlines placed the blame on a faulty update from cybersecurity firm CrowdStrike. But nearly a year later, it’s clear that the real failure was not just in the code—it was in the boardroom. The July collapse is a critical case study for the importance of prioritizing business continuity.
In an age where operational resilience and technological agility are vital to business continuity, companies cannot afford for their directors to be caught flat-footed. Yet that’s exactly what happened at Delta. More than 7,000 flights were grounded leaving over half a million passengers stranded. And while other airlines rebounded quickly from the same technology issue, Delta lagged behind—crippled not by code, but by complacency. Weak board oversight and outdated expertise turned a recoverable IT issue into a $500 million disaster.
Delta sued CrowdStrike over the outage, and in May, a judge let the case proceed without ruling on its merits. CrowdStrike has countersued, arguing that other airlines recovered quickly, which suggests that Delta’s own failures caused the worst of the damage.
At issue is the airline’s business continuity planning—the ability to identify, plan for, and respond to operational risks. Company directors are expected to look around corners, to borrow a phrase from investors who are increasingly scrutinizing boards to insure their readiness to manage the next crisis before it erupts. That responsibility is especially crucial in today’s hyperconnected, technology-dependent economy, where one failed update can spiral into an enterprise-wide crisis.
The data on business disruptions is stark: Even less critical service failures can cost companies up to $16,000 per minute, depending on the organization’s scale. For large companies like Delta, losses due to a massive continuity failure can rapidly escalate into the hundreds of millions of dollars, as the 2024 incident demonstrated. But the deeper cost is the loss of trust among customers, employees, and shareholders.
So how did one of America’s flagship airlines end up so unprepared?
The answer begins with a board that was ill-equipped to oversee the risks of a digital-first world. Only three of Delta’s twelve independent directors had any cited experience in technology or cybersecurity. One of them, David DeWalt, joined the board in 2011, but his last executive role ended in 2016—nearly a decade before the CrowdStrike crisis—and the rapidly evolving cyber threat landscape has changed dramatically since then.
Another director, Maria Black, CEO of ADP, was appointed to the board in April 2024, just 84 days before the meltdown. She’s an accomplished executive, but expecting a newly-seated director with full-time responsibilities at another Fortune 500 company to meaningfully influence business continuity planning in under three months is unrealistic.
Other recent appointees fared no better. Christophe Beck, added in early 2025, was lauded for his technology experience. But Beck runs Ecolab, a company focused on water treatment and hygiene, not exactly the bleeding edge of enterprise IT resilience. Willie Chiang, another 2024 addition, brings energy sector experience, but little experience that would help navigate a software-driven airline crisis. Judith McKenna has a consumer retail background, and Michael Huerta—former head of the FAA—was conspicuously ineffective despite his aviation credentials.
Delta’s own risk disclosures raise even more questions.
In its February 2025 annual report, the airline claimed it had “not experienced any material cybersecurity incidents” over the past three years and reported only “immaterial” cybersecurity expenses. This assertion stands in direct contradiction to the company’s own legal complaint, which describes the CrowdStrike-triggered outage as “catastrophic” and pegs the damage at over $500 million—plus long-term brand harm and lost revenue.
Why the discrepancy? One possible explanation is that Delta’s board and management were more focused on containing the reputational damage than on owning up to the operational failure. More troubling, though, is what this says about the board’s view of risk: if half a billion dollars in losses and global flight chaos don’t qualify as a “material” event, what does?
What’s more, the board’s audit committee, which oversees cyber and technology risk, is particularly underpowered. It is chaired by Kathy Waller, who hasn’t held an executive role in more than six years. Other members include DeWalt (whose cyber experience is aging out of relevance) and directors without any direct IT or cybersecurity background. The mismatch between committee responsibilities and director expertise is a flashing warning light for investors and regulators alike.
Delta’s crisis was preventable: Other major airlines affected by the same CrowdStrike bug managed to restore operations quickly. What set Delta apart was the absence of robust, well-practiced business continuity plans that should have been stress-tested and overseen by a board with relevant experience.
Institutional investors have long emphasized the importance of effective risk oversight, meaning boards that fail to adapt will face growing pressure. The days of viewing board seats as honorary roles for politicians or retired executives are over. In a world where operational resilience is inseparable from technological savvy, boards must include directors with current, hands-on experience in managing digital risks and business continuity protocols.
This is not just a lesson for Delta. It’s a warning shot to every public company navigating the volatile terrain of cybersecurity, artificial intelligence, supply chain shocks, and geopolitical risk. Continuity planning is not about checking boxes—it entails building the organizational muscle to respond to the unexpected and ensuring the people at the top know how to use it.
The stakes are high. When business continuity fails, it’s not just systems that go down. Trust does too. And once that’s lost, it is far harder to reboot.