Digital resilience and third party risk management have become key concerns for global regulators and the risks have been keenly highlighted by the recent global Crowdstrike incident.
Branded “the largest IT outage in history”, the Crowdstrike event in July saw airplanes grounded, financial services disrupted and businesses offline all over the world.[1] While there are many that worry about bad actors taking down businesses and financial services, this was not the result of a cyber attack, but a simple error in an update for Windows computers from cybersecurity firm Crowdstrike.[2]
The fact that a single small error could have such widespread consequences laid bare regulatory fears that digital resilience is not strong enough and that concentration in third party IT providers is creating points of failure in the system. Regulatory moves
In the US, the Federal Trade Commission chair Lina Khan issues a series of tweets in the aftermath of the Crowdstrike incident that underlined her concerns about market concentration in the tech industry.[3]
They read: “All too often these days, a single glitch results in a system-wide outage, affecting industries from healthcare and airlines to banks and auto-dealers. Millions of people and businesses pay the price. These incidents reveal how concentration can create fragile systems,”
“Another area where we may lack resiliency is cloud computing. In response to @FTC's inquiry, market participants shared concerns about widespread reliance on a handful of cloud providers, noting that consolidation can create single points of failure.”
US regulators have also been examining the digital resilience of the banking system. Since 2020, regulators including the Federal Reserve Board, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation have sought to identify and consolidate existing guidance that can be used to form the framework for an effective operational resilience regime for banking organisations that are deemed systemically important.[4] The UK has also issued its own new operational resilience regime, launched in March 2022 by its supervisory authorities - the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) and Bank of England (BoE).[1] It aims to improve the operational resilience of firms and financial market infrastructures (FMIs), and to protect consumers, the broader financial sector and the UK economy from the impact of operational disruptions.[5] Getting ready for DORA
Meanwhile, the EU has been working on perhaps the most sweeping regulatory changes with the Digital Operational Resilience Act (DORA), due to come into full effect in January 2025.[6]
DORA covers six critical areas of resilience:
ICT risk management: Principles and requirements on ICT risk management framework
ICT third-party risk management: Monitoring third-party risk providers and key contractual provisions
Digital operational resilience testing: Both basic and advanced
ICT-related incidents: General requirements and reporting of major ICT-related incidents to competent authorities
Information sharing: Exchange of information and intelligence on cyber threats
Oversight of critical third-party providers: A framework for critical ICT third-party providers
But despite these far-reaching changes and the fast-approaching deadline for DORA, as well as the atmosphere of regulatory focus on third-party and digital resilience risks, many financial services firms are not prepared.
A recent survey on Supplier Stability in Operational Resilience, commissioned by Escode, a software escrow solutions provider, found that only 20% of financial professionals have adequate stressed exit plans in place for their critical ICT vendor agreements.[7] DORA requires stressed exit plans for third and fourth parties, which is a significant strategic shift for companies.
McKinsey reported its own survey findings in June 2024, in which 94% of financial institutions said they were fully engaged in understanding the detailed requirements of the legislation.[8] Most of these organisations had completed a gap analysis and were in the process of designing or rolling out implementation programs.
However, nearly all firms reported some uncertainty around the regulation, including the redrawing of third party contracts, clarity about the scope of key items and concern over the timeline for implementation. The cost of compliance was also top-of-mind, with 70% of firms saying that continuing to meet DORA requirements will result in permanently higher run costs for technology and technology control.
Bibliography
[1] https://www.businessinsider.com/global-it-outage-y2k-24-years-later-crowdstrike-cyber-expert-2024-7
[2] https://www.crowdstrike.com/wp-content/uploads/2024/07/CrowdStrike-PIR-Executive-Summary.pdf
[3] https://x.com/linakhanFTC/status/1814395610788929649
[4] https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20201030a1.pdf
[5] https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience
[6] https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
© 2024 ICAP Information Services Limited (“IISL”). This communication is provided by ICAP Information Services Limited or a member of its group (“Parameta”) and all information contained in or attached hereto (the “Information”) is for information purposes only and is confidential. Access to the Information by anyone other than the intended recipient is unauthorised without Parameta’s prior written approval. The Information may not be not used or disclosed for any purpose without Parameta’s prior written approval, including without limitation, storing, copying, distributing, licensing, selling or displaying the Information, using the Information in an application or to create derived data of any kind, co-mingling the Information with any other data or using the data for any unlawful purpose of for any purpose that would cause it to become a benchmark under any law, regulation or guidance.
The Information is not, and should not be construed as, a live price, an offer, bid, recommendation or solicitation in relation to any financial instrument or investment or to participate in any particular trading strategy or constituting financial or investment advice or a financial promotion. The Information is not to be relied upon for any purpose whatsoever and is provided “as is” without warranty of any kind, either expressly or by implication, including without limitation as to completeness, timeliness, accuracy, continuity, merchantability or fitness for any particular purpose. All representations and warranties are expressly disclaimed, to the fullest extent possible under applicable law. In no circumstances will Parameta be liable for any indirect or direct loss, or consequential loss or damages including without limitation, loss of business or profits arising from the use of, any inability to use, or any inaccuracy in the Information. Parameta may suspend, withdraw or modify or change the terms of the provision of the Information at any time in its sole discretion, without notice.
All rights, including without limitation intellectual property rights, in and to the Information are, and shall remain, the property of IISL or its licensors. Use of, access to or delivery of Parameta’s products and/or services requires a prior written licence from Parameta or its relevant affiliates. The terms of this disclaimer are governed by the laws of England and Wales.