Compliance & Risks
Preparing for Future Technology Crises: A Call to Action from the FCA
In light of recent operational crises, the Financial Conduct Authority (FCA) has issued a stark warning to the financial industry: firms must enhance their preparedness for technology-related disruptions like the CrowdStrike incident. This incident, which occurred in July, saw a faulty update from the cybersecurity firm disrupt services for approximately 8.5 million Microsoft Windows devices, resulting in significant operational fallout for various sectors, including aviation, healthcare, and banking.
In light of recent operational crises, the Financial Conduct Authority (FCA) has issued a stark warning to the financial industry: firms must enhance their preparedness for technology-related disruptions like the CrowdStrike incident. This incident, which occurred in July, saw a faulty update from the cybersecurity firm disrupt services for approximately 8.5 million Microsoft Windows devices, resulting in significant operational fallout for various sectors, including aviation, healthcare, and banking.
The FCA noted a troubling trend of increasing dependence on unregulated third parties, which were responsible for a substantial number of operational incidents reported between 2022 and 2023. As a result, the regulator has mandated that organisations must demonstrate their resilience to severe but plausible scenarios by March 2025. They urged all organisations to learn from the CrowdStrike experience, emphasising the necessity of strong contingency plans that ensure critical services can continue during crises.
From Trend Micro's perspective, the increased reliance on digital technology and the interconnectedness of public and private services exacerbate the risk landscape. Citizens expect 24/7 access to services like banking and healthcare, but this interconnectedness can lead to both virtual and physical harm, as illustrated by the incident this summer.
Christiane Kirketerp de Viron from the European Commission warned that supply chains are attractive targets for threat actors seeking high returns on investment. She emphasised that organizations must ensure that their supply chains are secure by design to mitigate these risks. Although the CrowdStrike issue wasn’t a result of a malicious attack, it served as a reminder of what could happen if a successful supply chain attack were to occur on a ubiquitous supplier.
We believe it’s crucial to embed resilience into digitalisation projects from the outset. For example, initiatives like the Ambulance Radio Programme in the UK demonstrate how critical infrastructure must be built with cybersecurity in mind. Organisations should also transition away from the "good-enough" monoculture of bundled products, where cybersecurity is treated merely as an add-on. Instead, cybersecurity must be integrated into the core of business operations.
We also advocate recovery and business continuity plans to be modelled and regularly exercised, with cyber risk being treated with the same urgency as traditional risks like fire, flood, and pandemic. The interconnectedness of systems means that a vulnerability in one area can have cascading effects across an organization and its supply chain.
While the FCA emphasises the need for heightened vigilance and preparedness, it is important for organisations to recognise that the stability of their operations depends not only on their internal systems but also on the security of their entire supply chain. The lessons learned from the CrowdStrike incident should serve as a catalyst for meaningful change in how organisations approach risk management and cybersecurity in an increasingly interconnected world.
By fostering a culture of proactive security and resilience, the financial industry can better navigate any potential future technology crises.