In an ironic twist of fate, the cybersecurity company CrowdStrike, best known for protecting systems from digital threats, recently became the source of a widespread operational resilience event, when a routine update to its Falcon Sensor security software caused chaos by crippling approximately 8.5 million Microsoft Windows systems worldwide including major banks and investment firms.
Operational resilience in banking and capital markets is the focus of multiple regulatory updates currently being rolled out across the various jurisdictions. In the EU, the Digital Operational Resilience Act (DORA) came into force in January and in-scope firms will come under supervision beginning January 2025. For a concise overview of DORA and its new obligations see this recent guest article from Broadridge at A-Team Insight.The Crowdstrike incident offers a timely case-study for firms as they upgrade and evaluate their operational resilience frameworks for the new obligations required by DORA and other regulatory updates.
Regulatory oversight of disaster recovery planning (DR) and business continuity planning (BCP) has been in place for decades. But as markets have become increasingly digital and interconnected, new sources of operational risk have emerged in the form of cyber security threats and in turn, regulators have been updating their compliance obligations.
DORA is the most comprehensive and prescriptive (rules-based) set of operational resilience obligations yet to come into force. Other jurisdictions have tended to be more principles-based rather than rules-based, offering recommendations defining rules in terms of standards and best practices.
DORA is based on five pillars, each of which is covered to some extent by existing or emerging regulations in the other jurisdictions.
Information, Communications and Technology Services (ICT) Risk Management
ICT risk management is a cornerstone of operational resilience, focusing on identifying, assessing, and mitigating risks associated with critical IT functions. The FCA has published Operational resilience: insights and observations for firms that lays out feedback and advice on the obligations firms under its jurisdiction must meet by the end of March 2025.
ICT Risk Management under DORA requires that financial entities implement comprehensive ICT risk management frameworks. These frameworks must include mapping ICT systems, identifying critical assets, conducting continuous risk assessments, and establishing business continuity plans. Senior management will be held accountable for ensuring these measures are in place and effective.Incident Management and Reporting
Effective incident management is crucial for minimizing the impact of disruptions on financial entities. The UK’s Prudential Regulation Authority (PRA) outlines requirements for firms to develop and maintain incident management frameworks that enable rapid identification, classification, and resolution of ICT-related incidents. This includes establishing clear communication channels and reporting mechanisms to ensure timely response and recovery.
Under the EU, DORA mandates that financial entities implement robust incident management processes. Firms must classify incidents based on their severity, report significant incidents to the relevant authorities, and conduct post-incident reviews to improve their resilience frameworks. This proactive approach helps mitigate the impact of disruptions and enhances the overall stability of the financial system.
Resilience Testing
Digital resilience testing involves evaluating the robustness of ICT systems through regular assessments and simulations. The CBEST guiding framework from the PRA is a targeted assessment that allows regulators and firms to better understand weaknesses and vulnerabilities and take remedial actions, thereby improving the resilience of systemically important firms and by extension, the wider financial system.
In line with the growth of threat-led penetration testing frameworks around the world, CBEST remains a highly effective regulatory assessment tool that can be conducted on a cross-jurisdictional basis with other international regulators and frameworks.
In the EU, DORA introduces requirements for digital resilience testing, including advanced testing methodologies like Threat-Led Penetration Testing (TLPT). Financial entities are required to conduct these tests periodically (at least every three years) to identify and address weaknesses in their ICT infrastructure and ensure they can withstand and quickly recover from cyber incidents and other operational disruptions.
Managing Third Party Risk
The FCA and PRA have set out guidelines for firms to assess and manage risks associated with third-party relationships, including contractual obligations, performance monitoring, and contingency planning.
DORA places significant emphasis on third-party risk management, requiring financial entities to ensure that their ICT service providers meet resilience standards. This includes conducting due diligence before engaging third-party services, establishing clear contractual terms, and maintaining oversight throughout the relationship. Firms must also have exit strategies in place to mitigate risks associated with the sudden loss of critical third-party services.
Information and Intelligence Sharing
Information sharing is a critical component of operational resilience, enabling financial entities to stay informed about emerging threats and best practices. The Financial Stability Board (FSB) encourages cross-border cooperation and information exchange to enhance global financial stability. This involves sharing threat intelligence, incident reports, and resilience strategies among financial institutions and regulatory bodies.
In the EU, DORA promotes information sharing as a means to enhance the collective resilience of the financial sector. Financial entities are encouraged to participate in information-sharing arrangements to gain insights into cyber threats and operational risks. This collaborative approach helps firms improve their resilience frameworks and better protect against systemic disruptions.
Under DORA, the CrowdStrike event would be a reportable incident. Details of exactly what went wrong are still emerging. It serves as a valuable case-study against which firms can scenario-test their ICT risk management frameworks against this type of systemic event.
Subscribe to our newsletter
