The digital revolution has led to an unprecedented reliance on information and communications technology (ICT) services, which now underpin intricate systems that facilitate daily activities and bolster economies across key sectors. The extensive dependence on critical ICT third-party providers, combined with the interconnectedness of various market operators’ information systems, introduces and amplifies significant vulnerabilities and risks. Operational disruptions and major incidents affecting providers of ICT services can propagate rapidly across various sectors and beyond geographic borders.

Recent events have demonstrated the danger of these disruptions. In particular, the global information technology (IT) outage triggered by cybersecurity company CrowdStrike in July 2024 highlights the critical need for robust operational resilience frameworks and effective third-party risk management. On July 19, 2024, a software update from CrowdStrike relating to their Falcon sensor security software on Microsoft Windows triggered a ‘logic error,’ resulting in a system crash that rapidly escalated into a major global IT outage. This incident caused widespread disruption across various sectors, severely impacting numerous individuals and businesses around the world. The financial services sector was particularly hard hit, experiencing prolonged outages that disrupted payment systems and customer access to banking and financial services worldwide. Air travel also faced significant challenges, with thousands of flight cancellations and delays causing chaos at airports. During the morning rush hour, live train departure boards malfunctioned, and some media outlets lost their ability to provide live coverage. Additionally, the healthcare sector encountered substantial difficulties, including postponed surgeries, emergency services outages, and problems accessing patient records and scheduled appointments. Businesses globally faced major operational, logistical, and delivery hurdles. As details of the incident and its ramifications continue to emerge, affected businesses and organizations are gradually returning to full capacity while reviewing their responses and implementing key learnings to mitigate the risk of similar incidents in the future.
The global ripple effect of the CrowdStrike IT outage serves as a powerful reminder that no system is fully immune to disruptions in today’s digital world. This incident has highlighted the interconnectivity and concentration risk within the supply chain, exposing the fragility of the technology that underpins daily life. It has emphasized the critical need for stable and secure IT infrastructures, shedding light on the over-reliance of many organizations on a limited number of third-party IT providers.

For financial firms and markets, the CrowdStrike IT outage is a wake-up call about the operational risks of depending too heavily on a few third parties for critical banking and financial services. This incident emphasizes the importance of robust operational resilience, understanding software supply chain risks, and having solid business continuity plans, rapid response mechanisms, and effective disaster recovery strategies. Significantly, the CrowdStrike IT outage puts finance on guard as new regulations on operational resilience and third-party risk management loom in Europe and the United Kingdom, and regulatory scrutiny increases in the United States and other countries.

In recent years, financial authorities in Europe, the United Kingdom, and the United States have heightened their scrutiny and oversight of operational resilience and third-party risk management. These areas are crucial for ensuring the safety and soundness of financial institutions and maintaining overall financial stability. Regulators acknowledge the essential role of ICT services in banking and financial services and recognize that advancements in technology — such as software solutions, cloud computing, and data-related services among others — have become integral to the financial services value chain. While these technological advancements offer substantial benefits, they also create and magnify risks within the financial system. Disruptions in ICT services can spread quickly and severely impact financial stability and market integrity, potentially leading to systemic crises affecting the broader economy.

The EU Digital Operational Resilience Act (DORA), effective from January 2025, and the Financial Services and Markets Act (FSMA) 2023 in the United Kingdom, which empowers the HM Treasury and UK financial authorities to oversee critical third parties, highlight the focus by EU and UK regulators on operational resilience and third-party risk management in the financial sector. Concurrently, US regulators have begun issuing more specific guidance on operational resilience for the banking sector and are using their supervisory powers to monitor systemic third-party dependencies. Although relevant guidelines are yet to be consolidated into a single regulatory framework in the United States, recent developments suggest that more stringent requirements and regulatory changes may be forthcoming.

In light of recent events and upcoming regulations, it is increasingly important for banks and financial firms to adopt robust strategies to manage risks and ensure their critical operations and financial services can endure and recover from disruptions. This involves effective planning, prudent investments, well-designed systems, and regular testing. Financial institutions are focusing on strengthening their internal governance and control frameworks, establishing clear roles and responsibilities, implementing effective internal controls, and developing comprehensive risk management processes. Promoting a culture of resilience and robust governance can further enhance organizational vigilance and preparedness.

Financial institutions must manage risks associated with third-party service providers effectively. This includes assessing their third-party risk strategies, identifying concentration risks, conducting thorough due diligence, and ensuring contracts include provisions for service level agreements, incident response, data protection, and recovery protocols. Relevant arrangements should be regularly reviewed and updated to comply with new regulations and should include clear security clauses that assign accountability and define remediation timelines. Regular assessments, audits, and tests are necessary to ensure third-party compliance and operational resilience, with diversification and alternative solutions to mitigate disruptions.
To bolster operational resilience, financial entities need to regularly test their ICT systems through penetration tests and vulnerability assessments. They should have robust incident response plans, simulate critical system unavailability, and continuously update these plans. Regular data backups, stored in multiple locations, and a failover plan for quick recovery are essential. Financial firms are adopting platform engineering principles to build resilient systems and are conducting more frequent audits to address challenges from technological and operational failures. Ensuring a shared understanding of risks, adopting adequate policies and budgets, and maintaining transparent communication with both customers and staff are crucial for effective risk management.

To efficiently oversee the highlighted risks, financial regulators in Europe, the United Kingdom, and the United States are increasingly adopting a macroprudential approach to operational resilience, evaluating the resilience of the entire financial system. By recognizing interconnections and dependencies and viewing the financial system holistically, regulators aim to enhance overall stability and robustness.

Regulations and standards for operational resilience are evolving to cover a broader range of stakeholders, including critical third-party providers. While financial firms remain accountable for managing risks from third-party arrangements, regulators are extending their oversight to these third parties to ensure their resilience and mitigate their impact on financial stability. Third-party providers of critical services are now expected to develop and maintain robust operational resilience frameworks and risk management practices, collaborating closely with financial clients to meet regulatory requirements. By imposing stringent requirements, regulators aim to ensure that third-party providers can effectively manage risks, recover from disruptions, and sustain continuous service delivery, thereby protecting the financial system and the broader economy from potential systemic risks.

Given the complexity of international and regional initiatives related to operational resilience and the systemic risks posed by critical third parties, strengthening global coordination among regulators is essential. Regulators in Europe, the United Kingdom, and the United States are actively participating in global regulatory efforts concerning critical service providers and operational resilience in the financial systems. They recognize the need to align requirements where feasible and to explore cooperative approaches with international counterparts. Coordinated regulatory efforts will help ensure the consistent application of resilience measures, prevent regulatory arbitrage, and minimize vulnerabilities. Enhanced international cooperation will also enable regulators to pool resources, share best practices, and address cross-border operational risks more effectively, thus better safeguarding the stability and integrity of financial systems and the broader economy.