The UK's FCA Issues Cyber Warning to Finance Firms

Share
Yet the FCA's guidance in the wake of the CrowdStrike incident marks a significant shift
After a major IT disruption, the FCA urges UK finance firms to reinforce their defences and manage third-party risks

It is undeniable that the cyber world has encountered its fair share of turbulence this year. From record ransoms extorted, to a significant salary reduction for Microsoft's CEO due to cybersecurity lapses, the challenges are mounting.

Amid these, a particular event has notably alarmed the Financial Conduct Authority (FCA). The widespread global IT outage triggered by CrowdStrike's software issue has led the FCA to issue a stern warning to UK financial entities: strengthen your defences to prevent severe operational disruptions.

This incident, impacting millions of Windows systems around the globe, has put a spotlight on the vulnerabilities that companies face due to their dependencies on third-party suppliers. As firms increasingly outsource essential services, the FCA's advice underscores the importance of solid risk management strategies within a digitally interconnected realm.

The wake-up call

On the 19th of July 2024, the cybersecurity firm CrowdStrike experienced a severe setback. An erroneous update to its Falcon Sensor security software led to a complete halt across numerous systems, showcasing the infamous 'blue screen of death' on about 8.5 million Microsoft Windows operating systems.

The consequence was immediate and widespread. Various industries, including airlines and hospitals, felt the pinch with Delta Air Lines alone facing losses near $500m due to halted operations. The global financial toll from this incident is estimated to be over $10bn, highlighting the extensive impact of the disruption.

George Kurtz, the CEO of CrowdStrike, acknowledged that a mistaken kernel configuration file update was the core issue. The company quicky rectified the error, clarifying that the mishap was not a result of a cyberattack. However, the incident underscored the profound implications a singular fault in our interlinked digital networks can cause.

George Kurtz, CEO of CrowdStrike

Preparing for the worst

In reaction to the CrowdStrike debacle, the FCA has urged financial companies to brace themselves for 'severe but plausible' scenarios like global tech disruptions. The directive stresses the necessity to mitigate potential effects on consumers and markets.

This guidance is particularly relevant now as unregulated third-party issues have been earmarked as the primary source of operational incidents reported during 2022 and 2023. Indeed, a recent study exposed that 80% of organisations surveyed in 2020 had encountered a data breach due to third-party interference.

The third-party risk

The debacle has cast a stark light on third-party risks, which encompass threats introduced by external entities within an organisation's ecosystem or supply chain. These entities could be vendors, suppliers, partners, or contractors with access to internal company data, systems, or processes.

Even with stringent internal cybersecurity protocols, third-party interactions can present vulnerabilities that sidestep even the most advanced security setups. As noted by the FCA, "We encourage all firms, regardless of how they were affected by the CrowdStrike incident, to consider these lessons, to improve their ability to respond to and recover from future disruptions."

Thus, companies are encouraged to bolster their resilience by adopting measures outlined in best practices for third-party risk management, covering aspects like cybersecurity, operational, legal and compliance, and strategic risks.

Risk management techniques
  • Adequate Testing Scenarios: Firms are urged to ensure their testing scenarios are comprehensive and reflect real-world risks.
  • Improved Third-Party Risk Controls: Enhancing oversight and management of third-party relationships is crucial.
  • Clear Contractual Responsibilities: Contracts should explicitly outline responsibilities for service monitoring, incident notification, and updates during and after incidents.

The Road Ahead

The FCA has set a deadline of March 2025 for firms to fortify their infrastructures to be capable of withstanding incidents like the CrowdStrike outage. This timeline underscores the pressing nature of the situation and the regulator's commitment to augmenting the resilience of the UK's financial sector.

As firms tackle these imperatives, managing third-party risks will necessitate as much attention as internal risk management. The guidance from the FCA following the CrowdStrike incident marks a pivotal shift in how financial entities should approach operational resilience.

As the digital environment evolves, the ability to preempt, endure, and recover from major disruptions becomes crucial for maintaining trust in the financial system and safeguarding it from incidents that could cost billions.

**************

Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024

**************

FinTech Magazine is a BizClik brand. ​​​​​​​

Share

Featured Articles

Google Cloud Sets AI Agenda at Money20/20 with Vertex

In an era where AI is reshaping finserv, Google Cloud is positioning itself as the enabler of sustainable, enterprise-grade AI deployment

M20/20: Mastercard Maps Out Future of Payments Tech

Mastercard's Chief AI and Data Officer Greg Ulrich discusses how the payments giant is leveraging AI to transform global finance and commerce

LSEG Takes on Digital Identity at Money20/20

At Money20/20 USA, LSEG addresses the evolving challenges of financial fraud and digital inclusion in an increasingly digitalised financial sector

MONEY20/20: B4B Payments Unveils Tech Consolidation Plans

Digital Payments

Money20/20: DailyPay Disrupts Global Wage Access

Financial Services (FinServ)

FinTech LIVE Singapore 2025 - The Agenda

Financial Services (FinServ)