top of page
Search

Learning from the CrowdStrike and Microsoft Global Outage: A Crucial Lesson for Registered Investment Advisory Firms


The recent global outage caused by a faulty CrowdStrike update, which affected Microsoft Windows systems worldwide, serves as a critical learning opportunity for firms. In the financial industry, this incident disrupted several major institutions, highlighting vulnerabilities in business continuity plans (BCPs) and understanding vendor contracts. Read on as this article explores the impacts on firms and provides actionable steps to strengthen BCPs and overall cybersecurity.


Impact on Business Continuity Plans


The CrowdStrike and Microsoft global outage presented a significant challenge to some firms, disrupting various operational aspects. Some firms faced trading interruptions, requiring order placements via phone calls to brokers. The manual process potentially both delayed trades and increased the risk of errors. Identifying which systems were impacted during this period is essential for highlighting areas where BCPs need improvement. Furthermore, firms can use the incident to document a live test of their operational resiliency, assessing not only the services and technology used but also the impact on key staff who may have been stranded or unable to perform their duties due to travel disruptions.

 

Documenting that your firm experienced no trading or other business interruptions is also a valuable part of live testing. Not only does this demonstrate to regulators that a BCP test was performed, but more importantly, it shows the strength of the firm's operational resiliency, the effectiveness of workflow processes, and the due diligence of service providers.


Although some brokerage services were affected, not all were. This disparity could be due to differences in their IT infrastructure, reliance on specific software, or how they integrate with third-party services like CrowdStrike. Firms might have had excellent BCPs and due diligence in place but may not have been able to predict which brokers would experience issues. However, the lessons learned from this incident can help improve future preparations.

 

Firms should also consider evaluating and updating vendor contracts to ensure clarity on responsibilities during such incidents. 

 

Lessons Learned and Actions to Take


The CrowdStrike and Microsoft global outage underscore the importance of thorough testing and diligent management of BCPs. To strengthen your firm's resilience and preparedness, consider the following actionable steps:


Testing: Establish a comprehensive testing plan for new services, technology implementations, and internal system updates. This should include both automated and manual testing, as well as real-world scenario simulations.


Incident Document Response: Record the firm’s response to the outage, including any delays, errors, or manual processes employed. This provides valuable insights for improving continuity plans.


Review Advanced Automated Updating: Avoid overreliance on automatic updates. Implement a review process to assess updates, particularly from critical vendors.


Due Diligence on Vendors: Conduct thorough initial and ongoing due diligence on vendors. Regularly engage with vendors to understand their continuity plans and ensure they demonstrate preparedness.


Run Systems Dually: If changing systems or implementing new ones, run them in parallel with the old systems for a period of time to ensure stability and reliability.


Review Contracts and Materials: Carefully review contracts and materials from vendors. Understand how incidents are reported and what the vendor's responsibilities are during outages.


Consult Legal Experts if necessary: Understand the implications of vendor contract clauses and potential liabilities. Ensure you are prepared to address client losses and explore legal avenues.


Communicate Transparently: Keep clients informed about the incident, its impacts, and the steps being taken to mitigate future risks.


Backup Plan: Develop a robust backup plan for critical systems. Review and test this plan regularly to ensure it is effective and can be implemented quickly in an emergency.


By incorporating these steps into your firm's practices, you can enhance operational resilience and better prepare for future disruptions. The incident serves as a reminder that preparation for the next disruption is crucial, as such events are inevitable.


If you would like specific compliance education, training, and services to help with your compliance program or project, please contact Coulter Strategic Services.


Check out Coulter Strategic Services' growing collection of training resources. Including IARCE. Visit today and stay tuned for new training resources.


All information provided is for educational purposes and shall not be construed as specific advice.  The information does not reflect the view of any regulatory body, State or Federal Agency or Association.  All efforts have been made to report true and accurate information. However, the information could become materially inaccurate without warning. Not all information from third-party sources can be thoroughly vetted.  Coulter Strategic Services and its staff do NOT provide legal opinions or legal recommendations. Nothing in this material shall be considered as legal advice or opinion. 


24 views0 comments

Recent Posts

See All

Commentaires

Noté 0 étoile sur 5.
Pas encore de note

Ajouter une note
bottom of page