How did financial firms respond to the CrowdStrike outage in July, and what’s their preparedness to respond to other such incidents? Those were the questions behind a report by the UK regulator the Financial Services Authority (FCA), covering operational resilience, Professional Security Magazine editor Mark Rowe reports.
Background
CrowdStrike released a Falcon content update for Microsoft Windows hosts, with a defect that caused systems to crash. Many finance firms use CrowdStrike for device protection, threat intelligence and response services. CrowdStrike’s core platform, Falcon, detects and responds to malicious threats. The FCA says that it sought to understand the impact on firms and the market, operational responses, and recovery; and after the restoration of services, the Authority sought ‘lessons learnt’. For the report, visit the FCA website.
Comments
Jack Horlock, Principal Associate specialising in cyber risk and incident response at cyber firm CyXcel, says: “This incident was headline-grabbing, and understandably so. One of the largest cloud hosting providers and one of the largest cybersecurity providers had gone down, creating a cross-sector shutdown. How? A faulty update was pushed out to user-end devices. Why? The error in the update evaded CrowdStrike’s validation and testing process.
“Although the impact of the incident was felt across the globe, the reality is that this could have been much worse. The consequence of the faulty update was that servers and endpoints “failed closed” – i.e. they became inaccessible rather than exposing or opening a vulnerability. Therefore, whilst warnings about scammers seizing the moment and capitalising on the chaos were necessary and timely, there was no question of malicious compromise. The fix came relatively quickly. There was variance, though, in different organisations’ efficiency and speed of recovery: those who had tested recovery plans and up-to-date infrastructure recovered quickly. Those who didn’t, didn’t.
“Businesses are increasingly reliant on a patchwork of suppliers and service providers: their supply chain. Organisational risk, for some time now, hasn’t been a question of what goes on just within the four walls of the company, but also a question of transfer and management of risk outside the bounds of a single organisation. Regulations across multiple jurisdictions are being updated to reflect the significance of supply chain risks because of exactly that: a chain is only as strong as its weakest link. Organisations must have a clear view of their suppliers and service providers which includes not just who is doing what, but how they are doing it, what the consequences are should there be a failure by the supplier, and how the organisation will respond in that event.”
And David Ferbrache, managing director at Beyond Blue, described the CrowdStrike outage as one of the most disruptive incidents this year, so it was not surprising the FCA was using its analysis of the incident to stress the importance of resilience in the financial sector.
He said: “The digital world has grown increasingly interconnected. Heavily regulated industries, such as the UK’s financial sector, have become critically dependent on many less-known and often unregulated suppliers to provide their services. However, this can create serious security and resilience concerns, especially when partners are not practicing good cyber hygiene, have privileged access into your network, or become so critical to operations that financial institutions cannot operate with them.
“This is a challenge that the FCA, together with the PRA and the Bank of England, are looking to address through the forthcoming Critical Third Parties (CTP) regulatory regime, which is expected to land this quarter.
“Operational resilience is the ability for financial firms to meet the vital needs of their customers even in the face of severe disruptions. When third parties—such as cloud service providers, IT management services, or communication platforms—fail, the ripple effect can be catastrophic for financial firms and, by extension, the broader financial ecosystem. The upcoming policy is working to tackle this challenge.
“The policy stipulates that financial firms must have an understanding of the resilience of their third parties in the face of severe but plausible scenarios, while also ensuring they can remain resilient if those third parties are rendered unavailable.
“While we expect the CTP regime will regulate the most important of those third parties, there will many hundreds more of suppliers on which the financial sector depends and which could also cause major disruption. This requires the financial sector to work together to tackle the resilience of those “significant” third parties.
“The Cross Market Operational Resilience Group (CMORG) of the Bank of England brought financial institutions together to agree the next steps on how the community tackles that next tier of suppliers, making recommendations on how scenario testing of third parties is carried out, the types of evidence third parties should provide regarding their resilience to give confidence to financial firms, and how resilience obligations may be embedded in future contracts.
“Operationalising these findings over the coming year will be key to improving sector resilience and complements the roll-out of the CTP regime. Together these initiatives will both be key to a resilient financial sector ecosystem – one that is increasingly complex and interdependent.”
