Why the UK’s Financial Authority Has Issued a Cyber Decree
It is safe to say it has been a turbulent year for the cybersphere this year. Increased attacks, record ransoms extorted and Microsoft’s CEO taking a pay cut over the company’s cyber failures.
Yet, one incident in particular has the Financial Conduct Authority (FCA) particularly spoked. The CrowdStrike global IT outage has the FCA issuing a stark warning to UK financial companies, urging them to bolster their defences against severe operational disruptions.
The incident, which affected millions of Windows systems globally, has brought into sharp focus the vulnerabilities that companies face due to their reliance on third-party suppliers.
As organisations increasingly outsource critical functions, the FCA's guidance serves as a timely reminder of the need for robust risk management strategies in an interconnected digital landscape.
The wake-up call
CrowdStrike, a prominent player in the cybersecurity arena, found itself at the epicentre of a crisis on 19 July 2024 when a faulty update to its Falcon Sensor security software triggered widespread system crashes.
The impact was immediate and far-reaching, with approximately 8.5 million Microsoft Windows operating systems experiencing the infamous 'blue screen of death'.
The repercussions were felt across various sectors, from airlines and airports to banks and hospitals. Delta Air Lines, for instance, reported losses of around US$500m due to flight cancellations and disruptions. The global financial damage has been estimated to exceed US$10bn, underscoring the magnitude of the incident.
George Kurtz, CEO of CrowdStrike, confirmed that a faulty kernel configuration file update was at the root of the problem. In response, the company swiftly deployed a fix and assured that the issue was not the result of a cyberattack.
However, the damage was already done, highlighting the cascading effects that a single point of failure can have in our interconnected digital ecosystem.
Preparing for the worst
In light of the CrowdStrike incident, the FCA has called on financial companies to prepare for 'severe but plausible' scenarios, such as global tech outages. The regulator's statement emphasises the need for firms to minimise any potential impact on consumers and markets.
The FCA's guidance is particularly pertinent given that unregulated third-party problems were identified as the leading cause of operational incidents reported between 2022 and 2023.
This statistic aligns with broader industry trends, with a recent study revealing that 80% of surveyed organisations experienced a data breach originating from a third party in 2020.
The third-party risk
The CrowdStrike incident has brought the issue of third-party risk into sharp focus. Third-party risk encompasses any potential threat introduced to an organisation by external parties in its ecosystem or supply chain.
These can include vendors, suppliers, partners, or contractors who have access to internal company data, systems, or processes.
While organisations may have robust internal cybersecurity measures, their third-party relationships can introduce vulnerabilities that bypass even the most sophisticated security systems.
As the FCA noted, “We encourage all firms, regardless of how they were affected by the CrowdStrike incident, to consider these lessons, to improve their ability to respond to and recover from future disruptions”.
A multi-faceted approach to risk
To appropriately address issues that were caused by the global IT outage, companies are recommended to enhance their resilience. Such measures include:
- Adequate Testing Scenarios: Firms are urged to ensure their testing scenarios are comprehensive and reflect real-world risks.
- Improved Third-Party Risk Controls: Enhancing oversight and management of third-party relationships is crucial.
- Clear Contractual Responsibilities: Contracts should explicitly outline responsibilities for service monitoring, incident notification, and updates during and after incidents.
These recommendations align with best practices in third-party risk management, which span six key areas: cybersecurity, operational, legal and compliance, reputational, financial, and strategic risks.
The Road Ahead
The FCA has set a deadline of March 2025 for companies to ensure they can withstand events of the magnitude of the CrowdStrike incident.
This timeline reflects the urgency of the situation and the regulator's commitment to enhancing the resilience of the UK's financial sector.
As organisations grapple with these challenges, it's clear that managing third-party risks will require the same level of diligence as internal risk management.
Yet the FCA's guidance in the wake of the CrowdStrike incident marks a significant shift in how financial companies must approach operational resilience.
As the digital landscape continues to evolve, the ability to anticipate, withstand, and recover from severe disruptions will be crucial for maintaining trust in the financial system and ensuring it stays protected from a potentially billions dollar incident.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand
- Resilience: Firms Fail to Grasp Cyber Financial ImpactCyber Security
- Markel Cyber Director on Lessons from the Crowdstrike OutageCyber Security
- Why the Financial Sector Faces AI-driven Cybersecurity DebtOperational Security
- CrowdStrike & Fortinet Unite to Close Endpoint Security GapCyber Security