The UK's FCA Issues Cyber Warning to Finance Firms
It is undeniable that the cyber world has encountered its fair share of turbulence this year. From record ransoms extorted, to a significant salary reduction for Microsoft's CEO due to cybersecurity lapses, the challenges are mounting.
Amid these, a particular event has notably alarmed the Financial Conduct Authority (FCA). The widespread global IT outage triggered by CrowdStrike's software issue has led the FCA to issue a stern warning to UK financial entities: strengthen your defences to prevent severe operational disruptions.
This incident, impacting millions of Windows systems around the globe, has put a spotlight on the vulnerabilities that companies face due to their dependencies on third-party suppliers. As firms increasingly outsource essential services, the FCA's advice underscores the importance of solid risk management strategies within a digitally interconnected realm.
The wake-up call
On the 19th of July 2024, the cybersecurity firm CrowdStrike experienced a severe setback. An erroneous update to its Falcon Sensor security software led to a complete halt across numerous systems, showcasing the infamous 'blue screen of death' on about 8.5 million Microsoft Windows operating systems.
The consequence was immediate and widespread. Various industries, including airlines and hospitals, felt the pinch with Delta Air Lines alone facing losses near $500m due to halted operations. The global financial toll from this incident is estimated to be over $10bn, highlighting the extensive impact of the disruption.
George Kurtz, the CEO of CrowdStrike, acknowledged that a mistaken kernel configuration file update was the core issue. The company quicky rectified the error, clarifying that the mishap was not a result of a cyberattack. However, the incident underscored the profound implications a singular fault in our interlinked digital networks can cause.
Preparing for the worst
In reaction to the CrowdStrike debacle, the FCA has urged financial companies to brace themselves for 'severe but plausible' scenarios like global tech disruptions. The directive stresses the necessity to mitigate potential effects on consumers and markets.
This guidance is particularly relevant now as unregulated third-party issues have been earmarked as the primary source of operational incidents reported during 2022 and 2023. Indeed, a recent study exposed that 80% of organisations surveyed in 2020 had encountered a data breach due to third-party interference.
The third-party risk
The debacle has cast a stark light on third-party risks, which encompass threats introduced by external entities within an organisation's ecosystem or supply chain. These entities could be vendors, suppliers, partners, or contractors with access to internal company data, systems, or processes.
Even with stringent internal cybersecurity protocols, third-party interactions can present vulnerabilities that sidestep even the most advanced security setups. As noted by the FCA, "We encourage all firms, regardless of how they were affected by the CrowdStrike incident, to consider these lessons, to improve their ability to respond to and recover from future disruptions."
Thus, companies are encouraged to bolster their resilience by adopting measures outlined in best practices for third-party risk management, covering aspects like cybersecurity, operational, legal and compliance, and strategic risks.
- Adequate Testing Scenarios: Firms are urged to ensure their testing scenarios are comprehensive and reflect real-world risks.
- Improved Third-Party Risk Controls: Enhancing oversight and management of third-party relationships is crucial.
- Clear Contractual Responsibilities: Contracts should explicitly outline responsibilities for service monitoring, incident notification, and updates during and after incidents.
The Road Ahead
The FCA has set a deadline of March 2025 for firms to fortify their infrastructures to be capable of withstanding incidents like the CrowdStrike outage. This timeline underscores the pressing nature of the situation and the regulator's commitment to augmenting the resilience of the UK's financial sector.
As firms tackle these imperatives, managing third-party risks will necessitate as much attention as internal risk management. The guidance from the FCA following the CrowdStrike incident marks a pivotal shift in how financial entities should approach operational resilience.
As the digital environment evolves, the ability to preempt, endure, and recover from major disruptions becomes crucial for maintaining trust in the financial system and safeguarding it from incidents that could cost billions.
**************
Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024.
**************
FinTech Magazine is a BizClik brand.
- CaixaBank to Mobilise €100bn for Sustainability by 2027Financial Services (FinServ)
- How Can Finance Directors Improve Comms with Stakeholders?Financial Services (FinServ)
- Tandem Bank Pledges Total Carbon Emission OffsetSustainability
- Financial Sector Grapples with Rising Security DebtFinancial Services (FinServ)