Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The UK’s Financial Conduct Authority (FCA) has published its observations on the response by regulated firms to the global IT incident that occurred in July 2024. The incident has been widely reported as one of the most notable incidents in recent history, and had a major impact across the world. For the financial sector, the incident received the particular attention of regulators, who have become increasingly focused on operational resilience and cyber risk in recent years. The timing of the incident was apt, as firms in the UK are in the process of implementing new rules designed to enhance operational resilience, and will need to have completed key activities under those rules by March 2025.
The FCA has published a statement reflecting on how firms responded to the July 2024 incident and sharing key lessons learned from the incident. The FCA found that firms who had followed the FCA’s operational resilience rules set out in PS21/3: Building operational resilience (“PS21/3”) were better prepared to prioritise restoration of their important business services and were able to communicate with customers and stakeholders effectively.
The FCA reminds firms that the mapping and testing exercises required under PS21/3 should be carried out by 31 March 2025.
On 19 July 2024, the cybersecurity firm CrowdStrike released a defective software update in a vulnerability scanner, causing millions of systems running Microsoft Windows to crash. The CrowdStrike software, which detects and responds to malicious threats, is used by many financial services firms for device protection, threat intelligence and incident response.
IT incidents of this scale have the potential to cause major impact to consumers and society at large. Fortunately in this case, the consumer impact in the financial services sector was minimal, although firms suffered varying degrees of operational disruption.
The FCA engaged with firms during and after the incident to understand the impact on firms and the market, operational responses, and recovery.
PS21/3 requires firms to:
Firms are expected to have conducted mapping and scenario testing exercises by March 2025.
PS21/3 is part of a package of rules introduced by the FCA, Bank of England (BoE) and Prudential Regulation Authority (PRA) to enhance operational resilience across the financial services sector, which also include:
Further reforms in this area are on the horizon—the Financial Services and Markets Act 2023 introduced powers for the regulators in relation to “critical third parties” (CTPs) to the UK financial sector. The FCA, PRA and the BoE issued a Discussion Paper (DP22/3), followed by a Consultation Paper (CP23/30) (which closed for consultation in March 2024), on the proposed regulatory regime. The proposals set out policy measures that aim to ensure resilience of, and manage systemic risks posed by, services provided by CTPs to financial services firms and FMIs.
The FCA notes that since the beginning of 2023, it has seen a continued trend in third-party related incidents and that between 2022 and 2023, third-party related issues were the leading cause of operational incidents reported to it.
Through its engagement with firms during and after the incident, the FCA has observed that:
Key action points from the FCA’s detailed insights on the incident are:
Authored by Louise Crawford.
The FCA encourages all firms, regardless of how they were affected by the CrowdStrike incident, to consider the lessons coming out of it in order to improve their ability to respond to and recover from future disruptions.
If you would like to know more about the FCA’s expectations or have questions relating to operational resilience, please get in touch with our team.