Source URL: https://www.theregister.com/2024/11/02/fca_it_resilience/
Source: Hacker News
Title: Financial institutions told to get their house in order before next CrowdStrike
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text discusses the UK’s Financial Conduct Authority (FCA) urging financial institutions to enhance their resilience against IT outages similar to the significant disruption caused by a CrowdStrike software update. This incident emphasizes the reliance on third-party technology, the importance of operational resilience, and compliance with upcoming FCA regulations by March 2025.
Detailed Description:
– The UK’s Financial Conduct Authority (FCA) is addressing the importance of operational resilience among financial institutions following a disruptive incident linked to CrowdStrike.
– The CrowdStrike incident in July involved a faulty software update that crashed a substantial number of devices, affecting numerous financial organizations, including major banks and trading houses.
– Key highlights from the incident and the FCA’s response:
– Operational Disruptions: The FCA identified unregulated third parties as the primary source of operational disruptions between 2022 and 2023.
– Recommendation for Preparedness: The FCA encourages institutions to bolster their operational resilience and readiness for similar incidents, regardless of their direct impact during the CrowdStrike event.
– Compliance Deadline: The FCA’s regulations (PS21/3) call for robust business continuity measures, with a compliance deadline approaching in March 2025.
– Response Effectiveness: Organizations that had adhered to PS21/3 effectively prioritized recovery efforts post-outage, which minimized impact.
– Risk Management Improvements: Financial institutions needed to reassess their tech stack for weaknesses, leading some to explore alternative solutions or improve change management processes for software updates.
– Update-Testing Procedures: The FCA insisted that institutions validate their update-testing processes to swiftly contain potential faults.
– Communication Protocols: Recommendations also included preparing templates for external communication to keep stakeholders informed during incidents.
– In terms of legal implications, Delta Air Lines is pursuing legal action against CrowdStrike for financial losses incurred from the outage, pointing out that specific technical failures attributed to both companies caused delays in service restoration.
This incident underscores the necessity for financial institutions to ensure compliance with evolving regulatory frameworks and enhance their cybersecurity and resilience strategies to mitigate the risks of future technology-related disruptions. The lessons learned can serve as an imperative reminder for organizations to evaluate their dependence on third-party services and improve incident response procedures.