Crisis plans against third-parties: lessons from the CrowdStrike incident
On October 31, 2024, the UK Financial Conduct Authority (FCA) published key lessons from responses to CrowdStrike’s faulty security software update, highlighting the vulnerability of organizations to third party failures and making recommendations to improve organizational resilience.
The CrowdStrike incident in July 2024 caused systems to crash, leading to widespread disruption and global impacts on numerous organizations. It was reported that 8.5 million devices were affected on a global scale and that the incident exposed critical infrastructure vulnerabilities, leading to operational challenges and financial losses estimated between $540 million and $1.08 billion. Its widespread impact underscored the vulnerability of reliance on third party suppliers and the worldwide repercussions of numerous organizations depending on a few major technology providers for essential services.
Third party supplier failure: a top reason for crisis management plan activation
The FCA report stresses the importance of UK firms becoming operationally resilient in line with incoming legislation, but it also serves to highlight the vulnerability of organisations’ reliance on their third-party suppliers, no matter the region, sector, or size. This point is underscored by the BCI Crisis Management 2024 Report that found the second-placed top driver of crisis management plan activation over the past 12 months was third party failure. With over three-quarters of organizations triggering their crisis management plans this year it’s a key risk that organizations’ must address to ensure resilience.
Boosting crisis management
Both the FCA and BCI reports demonstrate that resiliency considerations within third-party supplier management continue to be vitally important in 2024. Organizations must develop strategies to ensure continuity during and after disruptive events.
These strategies can include boosting awareness of third-party failure implications, from all tier levels of the supply chain to ensure that senior leadership does not let this issue fall off the radar. Organizations can also become more resilient through third party risk assessments. The FCA report revealed firms that had identified and mapped their essential business services, along with the necessary resources to support them, were better equipped to quickly restore key services.
Pre-planned and exercised crisis communication plans, in conjunction with third party suppliers, is another essential strategy. A key insight from BCI’s Crisis Management Report highlights the critical need for collaboration in managing crises, as no single organization can address such challenges alone. The report found that the vast majority of organizations considered external communications and PR in their crisis response, however, an interviewee noted that in some cases the level of crisis could mean an organisation loses control over its response, highlighting the need to collaborate with suppliers to articulate a better crisis response. The growing significance of collaboration is highlighted by heightened concerns about avoiding reputational damage during crisis management, making effective external communications a top priority in crisis management this year.
Implementing a multilayered strategy
The CrowdStrike incident serves as an example of third-party failure with wide-ranging consequences, however the Crisis Management Report also identifies a variety of triggers that activated plans over the past 12 months, including extreme weather events, cyber-attacks, and civil unrest all highlighting the necessity for adaptable, multilayered strategies with a centralised structure that streamlines decision-making to ultimately enhance resilience.
The full BCI Crisis Management 2024 Report examines the top reasons for crisis management activation plans, the impacts, outcomes, and mitigation strategies plus much more. We extend our thanks to F24 for their generous support in sponsoring this research.
CrowdStrike outage: lessons for operational resilience | FCA