The FCA has published a statement reflecting on how firms responded to the July 2024 incident and sharing key lessons learned from the incident. The FCA found that firms who had followed the FCA’s operational resilience rules set out in PS21/3: Building operational resilience (“PS21/3”) were better prepared to prioritise restoration of their important business services and were able to communicate with customers and stakeholders effectively.
The FCA reminds firms that the mapping and testing exercises required under PS21/3 should be carried out by 31 March 2025.
What happened?
On 19 July 2024, the cybersecurity firm CrowdStrike released a defective software update in a vulnerability scanner, causing millions of systems running Microsoft Windows to crash. The CrowdStrike software, which detects and responds to malicious threats, is used by many financial services firms for device protection, threat intelligence and incident response.
IT incidents of this scale have the potential to cause major impact to consumers and society at large. Fortunately in this case, the consumer impact in the financial services sector was minimal, although firms suffered varying degrees of operational disruption.
The FCA engaged with firms during and after the incident to understand the impact on firms and the market, operational responses, and recovery.
What are the rules under PS21/3?
PS21/3 requires firms to:
- identify important business services. These are services provided by the firm to clients, the disruption of which could cause intolerable harm to consumers, market integrity, the firm’s safety or soundness, or financial stability;
- set impact tolerances for those important business services. An impact tolerance is the maximum tolerable level of disruption to an important business service as measured by length of time and any other relevant metrics; and
- conduct mapping and scenario testing exercises to test their impact tolerances in a "range of severe but plausible disruption scenarios".
Firms are expected to have conducted mapping and scenario testing exercises by March 2025.
PS21/3 is part of a package of rules introduced by the FCA, Bank of England (BoE) and Prudential Regulation Authority (PRA) to enhance operational resilience across the financial services sector, which also include:
Further reforms in this area are on the horizon—the Financial Services and Markets Act 2023 introduced powers for the regulators in relation to “critical third parties” (CTPs) to the UK financial sector. The FCA, PRA and the BoE issued a Discussion Paper (DP22/3), followed by a Consultation Paper (CP23/30) (which closed for consultation in March 2024), on the proposed regulatory regime. The proposals set out policy measures that aim to ensure resilience of, and manage systemic risks posed by, services provided by CTPs to financial services firms and FMIs.
What are the FCA’s observations from the incident?
The FCA notes that since the beginning of 2023, it has seen a continued trend in third-party related incidents and that between 2022 and 2023, third-party related issues were the leading cause of operational incidents reported to it.
Through its engagement with firms during and after the incident, the FCA has observed that:
- Firms that had mapped their important business services, and the resources required for these services, were able to prioritise restoration of these services to mitigate the overall impact of the incident.
- Firms that had tested scenarios that were severe but plausible, including those impacting multiple important business services at the same time, we also better prepared for the incident.
- Firms that had clearly defined and tested communications strategies were well prepared to respond to, and communicate with, customers and stakeholders.
Key actions
Key action points from the FCA’s detailed insights on the incident are:
- Ensuring the resilience of infrastructure: Firms should ensure adequate testing of software and content updates before deployment and consider phasing releases across user groups to support containment of any failures.
- Third party management: Firms may benefit from reviewing third-party management frameworks regularly and after significant events or incidents, in order to improve the effectiveness of third-party risk controls. It may be useful for firms to:
- identify if changes may be required to their third-party categorisation, risk assessment and management processes, due to the potential or actual impact of the incident.
- review vendors’ performance, service levels, contractual obligations, continuity arrangements and exit plans against the firm’s resilience requirements for the third parties, and remediate any gaps identified.
- consider and understand interdependencies to help identify and limit the impact a disruption may cause.
- Incident response and communications: Firms may:
- consider making communications more efficient through pre-approved communication templates, preparation of service status pages, banners, or other communication formats accessible to stakeholders;
- benefit from ensuring third-party contracts clearly set out responsibilities for service monitoring, incident notification and timely updates, during and after incidents, to enable effective incident response where service providers are affected;
- consider conducting a post-incident review following a significant disruption or any event that affects the market. This would include a review of the overall effects to determine if any changes are needed to their important business services or impact tolerances, for example, the need to classify a service as an important business service, or revise impact tolerances.
Next steps
The FCA encourages all firms, regardless of how they were affected by the CrowdStrike incident, to consider the lessons coming out of it in order to improve their ability to respond to and recover from future disruptions.
If you would like to know more about the FCA’s expectations or have questions relating to operational resilience, please get in touch with our team.
Authored by Louise Crawford.
