Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The financial industry must do more to prepare for technology crises such as the CrowdStrike-related outages that caused chaos around the world, the City regulator has said.
The Financial Conduct Authority said that it had seen a “continued trend” of incidents related to regulated firms having “increasing dependence on unregulated third parties to deliver important business services”.
Between 2022 and 2023, issues linked to third parties such as technology suppliers were the leading cause of “operational incidents” reported to the regulator.
The authority has given the financial industry until March 2025 to demonstrate its resilience to “severe but plausible” scenarios such as the CrowdStrike crisis.
In July a faulty update from CrowdStrike, a cybersecurity business, affected 8.5 million Microsoft Windows devices, interrupting internet services and leaving thousands of people stranded at airports after flight cancellations.
Delta Airlines is suing CrowdStrike, claiming the incident cost it more than $500 million after about 7,000 flights had to be cancelled. The outages also hit sectors such as banking, healthcare, retail and media companies and hotel chains.
The FCA said it had observed “varying degrees of operational impact on regulated firms” from the incident but there had been “minimal consumer harm”. However, it told firms to ensure they can handle similar crises in future.
“We encourage all firms, regardless of how they were affected by the CrowdStrike incident, to consider these lessons, to improve their ability to respond to and recover from future disruptions,” the authority said in a statement.
It said regulated firms “must make sure they can deliver important business services in severe but plausible scenarios, like the CrowdStrike outage, to help minimise the impact on consumers and markets”.
It called on companies to consider a series of steps, including ensuring that testing scenarios were adequate, improving third-party risk controls and ensuring contracts clearly set out responsibilities for service monitoring, incident notification and updates during and after incidents.
Jack Horlock of CyXcel, a cyber security consultancy, said: “Businesses are increasingly reliant on a patchwork of suppliers and service providers: their supply chain. Organisational risk, for some time now, hasn’t been a question of what goes on just within the four walls of the company, but also a question of transfer and management of risk outside the bounds of a single organisation.
“Regulations across multiple jurisdictions are being updated to reflect the significance of supply chain risks because of exactly that: a chain is only as strong as its weakest link. Organisations must have a clear view of their suppliers and service providers which includes not just who is doing what, but how they are doing it, what the consequences are should there be a failure by the supplier, and how the organisation will respond in that event.”
The Bank of England has warned about the potential risks that the increasing adoption of artificial intelligence by financial firms could pose to financial stability. Sarah Breeden, a deputy governor at the Bank, said in a speech that “we could perhaps use stress tests to understand how AI models used for trading whether by banks or non-banks could interact with each other”.
In the UK, withdrawals of cash spiked on the morning of the CrowdStrike incident, with Link, the cash machine provider, saying that the issue showed that society could not safely become cashless unless it was certain about the resilience of digital systems.
English