Introduction
The FCA continues to emphasise the necessity for a firm’s operational resilience framework and their ability to deliver important business services in severe circumstances. Following the CrowdStrike outage, the FCA has issued key lessons learned from the incident.
The outage, caused by a faulty update to the Falcon security software led to a massive IT failure, affecting close to 8.5 million Windows systems. This resulted in widespread disruptions across various sectors, including airlines, banks, hospitals and government services. The root cause was a coding error in the update which triggered a “Blue Screen of Death” on affected systems. Although a fix was quickly released, the manual recovery process for many systems prolonged the impact of the recovery.
This incident underscores the potential risks associated with reliance on unregulated third-party service providers and the importance of operational resilience in mitigating the harm of such risks.
The FCA’s expectations
The FCA expects firms to adopt a proactive approach to operational resilience through identifying and mapping Important Business Services, setting clear impact tolerances and regularly testing their resilience against disruptions. The FCA emphasises continuous improvement and the need for firms to invest in their operational resilience to protect consumers, maintain market integrity and ensure the stability of the financial system.
Third Party Service Providers and Cybersecurity
The FCA has observed that many firms demonstrate an increasing dependence on third-party service providers for the delivery of Important Business Services. The CrowdStrike incident was a stark example of how a flaw originating from a third-party service provider can escalate and have a significant adverse impact on consumers and markets.
Partnerships with third-party service providers may offer numerous benefits, but they also introduce operational, IT and security risks that need to be carefully managed. Firms should be aware of:
- Risk of Data Breaches: Third-party service providers may have access to sensitive company data. Any security lapses on their part can lead to data breaches, compromising a firm’s business and customer information.
- Service Reliability: Dependence on third parties means that any disruption in their services can directly impact a firm’s business operations.
- Security Integration: Ensuring that the third-party solutions integrate seamlessly with a firm’s existing security infrastructure is vital to maintain a strong defence against cyber threats and operational disruptions.
- Reputation Risks: Potential breaches or non-compliance incidents involving a third-party provider can tarnish a firm’s reputation, even when the fault lies with the provider.
Safeguarding your business and clients
The prolonged recovery process for many systems affected by the outage highlights the need for robust disaster recovery plans and enhanced operational resilience frameworks.
With the deadline of 31st March 2025 fast approaching, firms must make sure they can deliver Important Business Services in all scenarios.
Key steps to achieve this include:
- Due Diligence and Vetting: Ensure appropriate due diligence is carried out thorough research and vetting of potential third-party service providers. Security measures, past performance, and compliance with industry standards are examples of certain benchmarks to be reviewed.
- Regular Audits and Assessments: Regularly perform audits, assessments and stress-testing to ensure the firm and its third-party service providers have robust security and resilience measures in place.
- Regular Updates and Patching: Ensure that your systems are consistently updated to protect against known vulnerabilities. Invest in back-up systems and infrastructure so that critical services remain operational even if one component fails.
- Robust Backup Solutions: Implement reliable backup protocols and disaster recovery plans to maintain data integrity and availability. Firms should map their critical services and the resources needed to deliver them, enabling them to prioritise and restore key operations more effectively.
- Training and Awareness: Ensure that staff are educated on how to respond to IT and other emergencies effectively.
- Incident Response Strategies: Develop and regularly update contingency plans to minimise downtime and ensure business continuity. Firms should have clearly defined and tested communication plans for quick and efficient responses, keeping customers and stakeholders informed during an incident.
- Continuous Monitoring and Improvement: Use advanced monitoring tools to detect and address issues promptly within your business’ operational resilience framework and third-party activities. Post-incident reviews and learning from disruptions help firms strengthen their resilience strategies and improve their response to future incidents.
- Clear Contractual Agreements: Establish with third party service providers clear contractual agreements that outline security expectations, responsibilities and consequences for non-compliance.
By March 2025, firms in scope of PS21/3: Building operational resilience must make sure they can deliver important business services in severe but plausible scenarios
How Complyport can help
At Complyport we can help you mitigate the operational risks associated with third-party service providers through our comprehensive Operational Resilience, IT and Cybersecurity Audit services. Our expertise in operational resilience will help you establish robust third-party risk management frameworks, ensuring that all external partners maintain high security standards.
Complete the form below to book a FREE consultation.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today!
