The UK Financial Conduct Authority (FCA) on October 31, 2024 published observations and key lessons from how firms responded to the CrowdStrike IT outage. The outage caused disruption across several industries globally, and the FCA highlights for UK financial services the importance of ensuring operational resilience in order to minimize the potential impact of future events on consumers and markets.
Background
On July 19, 2024, an update to widely used CrowdStrike security software, which was designed to protect customer systems by identifying and remediating advanced threats, caused global systems with such software built into them to crash, producing a “blue screen of death” for end users. Notably, the disruption was not caused by malware or a similar malicious attack.
The FCA engaged with firms during the incident to understand its impact and lessons learned.
As of March 2025, banks, insurers, and designated investment firms, among others, must comply with the FCA’s new regime to improve the operational resilience of the UK financial sector. This includes identifying “important business services” and setting impact tolerances (measured using time/duration metrics) against them, i.e., the first point at which a disruption to those important business services would cause intolerable levels of harm to consumers or risk to market integrity. The observations/lessons that the FCA highlights align with its expectations under the incoming regime.
Observations/Lessons
The FCA published the following observations/lessons:
- Prioritizing important business services: The FCA found that firms which had already mapped their important business services and the resources necessary to deliver these services, in advance of the March 2025 deadline, were able to prioritize getting key services back online
- Ensuring resilient infrastructure: Identifying single points of failure within the firm’s infrastructure and technology stack and diversifying the systems and devices within operating systems both facilitated resilient infrastructure; given the recent disruption, testing updates before deployment and considering phased releases across user groups to support containment of any failures are noted by the FCA as good practice
- Change management procedures: Unsurprisingly, the FCA notes that several firms have considered updating change management processes for software and content updates, particularly for third parties with deep-level system access
- Third-party risk management frameworks: The FCA notes that firms may benefit from improving the effectiveness of third-party risk controls, such as through the categorization of third parties (taking into account the potential or actual impact of the incident), performance reviews, contractual obligations including service levels, continuity arrangements and exit plans, and understanding interdependencies to identify and limit the impact a disruption may cause
- Incident response and communications: The FCA found that firms with clear, well-executed communication strategies were able to promptly notify stakeholders and consumers; as to third-party contracts, the FCA notes that clearly set out responsibilities for service monitoring, incident notification and timely updates, during and after incidents, to enable effective incident response are good practices
Prioritizing the Observations/Lessons
The CrowdStrike incident is a crucial learning opportunity for firms navigating an increasingly complex operational landscape. Firms can better prepare for future disruptions by becoming more resilient through risk assessments, robust communication plans, and vigilant third-party risk management.
As the compliance deadline approaches for the FCA’s new operational resilience rules, regulated UK firms would be wise to prioritize the implementation of these observations/lessons.
EU-based financial services firms, and their IT service providers, will also be familiar with these themes from implementing the incoming EU Digital Operational Resilience Act.
As the dust settles on the most recent, and reportedly the worst, example of global IT disruption, resiliency considerations within third-party risk management and supply chain design continue to take center stage.
Trainee solicitor Ava Bajrami assisted with this blog post.