As organisations continue to assess the impact of the disruption caused by the recent CrowdStrike incident, the scale of this event serves as a critical reminder of the importance of the Digital Operational Resilience Act (DORA) to the financial services industry. This incident underscores the necessity for financial institutions to avoid or minimise such ICT disruptions, a goal that regulators worldwide have addressed by introducing the concept of operational resilience through regulations like the EU’s DORA. With less than six months remaining until the DORA compliance date, the incident highlights the urgent need for organisations to enhance their digital operational resilience and mitigate the effects of disruptions that can impact the entire financial services sector.
Although previous major disruption events have been caused by outages at ICT third-party service providers (ICT TPSPs), this particular incident is noted by many as potentially the most globally impactful to date, affecting numerous critical services and customers across a variety of industries.
Key Lessons from the Incident
The CrowdStrike incident underscores the importance for organizations to:
- Understand their Critical or Important Functions (CIFs) and their interdependencies.
- Have a clear mapping of CIFs to quickly identify impacted services or functions.
- Effectively initiate their defined Business Continuity or Response and Recovery plans.
The financial entities most severely affected by this incident were those least mature or prepared concerning DORA compliance.
Summary of the CrowdStrike Incident
On July 19, 2024, CrowdStrike implemented a defective update to their Endpoint Detection and Response (EDR) Falcon sensor, which led to an estimated 8.5 million Microsoft Windows-based endpoints crashing with the “blue screen of death.” This prevented many organisations from operating their critical services. While CrowdStrike and Microsoft quickly identified a fix, it required manual interaction with the affected endpoints, resulting in prolonged outages. This incident revealed that many organisations were not adequately prepared for such a scenario as part of their business continuity plans.
Ironically, the incident was caused by a security tool intended to protect organisations from threats. An update released by CrowdStrike led to widespread outages globally. Despite thorough testing of previous updates, this particular update is believed to have bypassed some checks, leading to the distribution of faulty content that triggered system failures.
Importance of ICT Asset Mapping
The incident highlights the critical need to identify and map all ICT assets supporting CIFs, as disruptions can often be caused by tools not typically recognized as ICT assets essential for delivering services or functions. For ICT TPSPs, the event emphasises the importance of rigorous testing and quality control of updates before their release into production environments.
Addressing Concentration Risk
A key element of DORA is ensuring financial entities understand and assess potential concentration risks to their organisation in relation to the wider financial services market. The financial services industry largely relies on a small number of key ICT TPSPs. The CrowdStrike incident illustrates this dependency and underscores the necessity of DORA for financial services in Europe. DORA mandates financial entities to regularly evaluate this risk and attempt to limit the impact that reliance on a single ICT provider may have on an organisation.
Finalisation of the RTS on Subcontracting ICT Services under DORA
Under DORA, a ‘subcontractor’ refers to an ICT third-party service provider or ICT intra-group service provider that offers ICT services to another ICT TPSP within the same service supply chain. On July 26, 2024, the European Supervisory Authorities (ESAs) published the final draft of the regulatory technical standard (RTS) on subcontracting ICT services supporting critical or important functions under DORA. This draft will be presented to the European Council for final approval ahead of the DORA compliance date.
While this incident may not have directly involved a subcontracting chain, it clearly illustrates the necessity for organisations to understand their third parties, associated subcontractors, and to have robust Business Continuity Plans (BCPs) in place. It also demonstrates the significant impact a third party or subcontractor can have on financial entities and the market as a whole. The ICT subcontractor supply chain is a complex area that requires thorough understanding by organisations’ risk functions, as showcased by this incident.
The RTS emphasises the need to comprehend the entire ICT subcontracting chain, with contracted ICT TPSPs, and to document key ICT subcontractors in their Registers of Information. Although some financial services firms may not have been directly contracted with CrowdStrike, many felt the effects of the outage due to their ICT TPSPs subcontracting with CrowdStrike, causing disruptions to the services they provide. This highlights the necessity for comprehensive and holistic BCPs that consider ICT subcontracting, especially concerning services supporting CIFs.
DORA aims to enhance organisations’ maturity regarding their monitoring of ICT TPSPs and associated ICT subcontractors. It requires financial entities to understand and regularly monitor their ICT subcontracting supply chain to identify potential performance issues or vulnerabilities along the chain.
Key Changes in the RTS
While updates from the draft version were not extensive, there are key updates that financial services firms must consider. The ESAs have introduced additional requirements emphasising the nature, scale, and complexity of operations and services provided by ICT TPSPs. These updates include:
- Enhanced Evaluation and Oversight: Financial entities must conduct in-depth evaluations of their operations’ nature, scale, and complexity, particularly concerning ICT TPSPs, with an emphasis on potential regulatory oversight and subcontracting of regulated CIFs.
- Consistency and Compliance: Parent entities must ensure uniform subcontracting conditions for CIFs across the group, and financial entities should verify that ICT TPSPs maintain robust compliance processes. They should not rely solely on their ICT TPSPs’ risk assessments.
- Contractual Control and Termination Rights: The finalised RTS assigns greater responsibility to ICT TPSPs for service provision, monitoring, and reporting, requiring financial entities to track ICT subcontractor chains and granting them rights to be informed of material changes and to terminate agreements under specific CIF-related circumstances.
- Contract Remediation: Timely uplift to existing ICT TPSP arrangements concerning CIFs is required, and financial entities must document the timeline for this remediation effort.
Key Takeaways for Financial Services Organisations
Based on our experience with incidents of this nature and knowledge of DORA requirements, here are some immediate considerations for financial entities:
- Review Business Continuity and IT Disaster Recovery Plans to ensure quick recovery from similar scenarios without causing intolerable harm.
- Develop comprehensive scenario listings that include events like the CrowdStrike incident, and conduct desktop exercises to understand potential organisational impacts.
- Continuously stress test continuity plans using real-life scenarios and incidents to ensure their effectiveness.
- Conduct joint exercises with ICT TPSPs to simulate coordinated responses to potential scenarios and identify vulnerabilities.
- Document your direct ICT TPSPs supporting your CIFs in the Register of Information.
- Map your ICT subcontractor chain in the Register of Information.
- Assess potential concentration risk with ICT TPSPs and understand the impact a disruption at one could have on your organization.
- Ensure effective continuity plans are in place with both ICT TPSPs and ICT subcontractors.
- Implement effective monitoring over ICT TPSPs and subcontractors to identify potential service performance issues or control environment vulnerabilities.
- For firms engaged with CrowdStrike, assess Microsoft’s role in your ICT supply chain, if applicable.
Contact Us
If you would like more information on how EY's team of experts can help, please reach out today.