CashNews.co
Unregulated third-party service providers pose significant risk to operational stability, says FCA
Image:
FCA urges Uk finance firms to boost cyber resilience
The Financial Conduct Authority (FCA) has issued a warning to UK financial firms, urging them to bolster their resilience against potential global tech outages.
The directive comes in the wake of the widespread disruption caused by a botched software update from US cybersecurity firm CrowdStrike earlier this year.
The incident, which occurred on 19th July 2024, had a significant impact on businesses and individuals worldwide.
A software update from CrowdStrike wreaked havoc on Windows machines worldwide, causing a wave of Blue Screens of Death (BSODs) that crippled operations in critical sectors like healthcare, finance, media companies and airlines.
The incident impacted an estimated 8.5 million Microsoft Windows devices.
In a statement released on Thursday, the FCA highlighted the critical need for financial institutions to maintain business continuity even under “severe but plausible” circumstances.
The authority said unregulated third-party service providers pose a significant risk to operational stability, as evidenced by the numerous incidents reported in recent years.
“Since the beginning of 2023, we’ve seen a continued trend of third-party related incidents. Between 2022 and 2023, third-party related issues were the leading cause of operational incidents reported to us,” the regulator said.
“These outages emphasise firms’ increasing dependence on unregulated third parties to deliver important business services. This highlights the importance of firms continuing to become operationally resilient in line with our rules.”
While the FCA acknowledged that consumer harm was minimal in this particular case, it underscored the potential for severe consequences in future incidents.
To mitigate risks and ensure business continuity, the FCA has mandated that financial firms implement a series of measures by March 2025.
These include:
- Robust testing scenarios: Firms must conduct rigorous testing to assess their systems’ resilience to various disruptions, including large-scale outages.
- Enhanced third-party risk management: Stricter controls should be in place to monitor and manage risks associated with third-party service providers.
- Clear service level agreements: Contracts with third-party providers should explicitly outline responsibilities for service monitoring, incident notification, and timely updates.
The FCA’s deadline for compliance with its rules on third-party risk management, PS21/3, is March 2025.
The regulator says firms that have already met these requirements were better positioned to respond to the CrowdStrike incident, demonstrating the importance of proactive measures.
“By investing in operational resilience and following our operational resilience rules, firms were able to identify consumer and market impacts and prioritise their important business services,” it said.
“Firms that had mapped their important business services, and the resources necessary to deliver these services, were able to prioritise getting key services back online to reduce the overall impact the incident had on their operations.”
While the financial industry largely recovered from the CrowdStrike outage, the incident has sparked legal battles.
Delta Air Lines has filed a lawsuit against CrowdStrike, seeking damages for significant revenue losses. CrowdStrike, in turn, has filed a countersuit, alleging that Delta’s own negligence contributed to the prolonged disruption.