FIN.

FCA publishes lessons for operational resilience post-CrowdStrike

The FCA has published its observations and key lessons from how firms responded to the July 2024 CrowdStrike outage, and their preparedness to respond to future incidents.

The FCA noted that it has seen a continuing trend of third-party incidents, which were the leading cause of operational incidents reported to it between 2022 and 2023. In terms of next steps to ensure infrastructure resilience, third party management, and effective incident response and communications, the FCA highlighted that firms:

  • should ensure adequate testing of updates before deployment and consider phasing releases across user groups to support containment of any failures.
  • may benefit from reviewing third-party management frameworks regularly, and after significant events or incidents, to improve the effectiveness of third-party risk controls.
  • may consider making communications more efficient through pre-approved communication templates, preparation of service status pages, banners, or other communication formats accessible to stakeholders.
  • may benefit from ensuring third-party contracts clearly set out responsibilities for service monitoring, incident notification and timely updates, during and after incidents, to enable effective incident response where service providers are affected.
  • may consider conducting a post-incident review following a significant disruption or any event that affects the market. This would include a review of the overall effects to determine if any changes are needed to your important business services or impact tolerances, for example, the need to classify a service as an important business service, or revise impact tolerances.

Laura Wiles