Microsoft-CrowdStrike Outage: A Cautionary Tale and How DORA Can Help Financial Services Be Ready

Last week's global technology outage, triggered by a faulty CrowdStrike software update on Microsoft Windows systems, sent ripples of disruption across various industries. Financial services were hit particularly hard, with banks and other institutions facing issues like:

• Limited Online Banking Access: Customers were unable to access online accounts, hindering transactions and creating frustration.
• Mobile Banking App Outages: Banking apps became unusable, impacting users accustomed to on-the-go banking.
• Disrupted ATM and Point-of-Sale Transactions: Technical glitches caused long queues and failed transactions at ATMs and point-of-sale systems.

These disruptions resulted in both financial losses and reputational damage for financial institutions. Lost productivity, transaction delays, and customer dissatisfaction can all take a toll.

The DORA Advantage: Building Resilience

While the recent outage served as a wake-up call, a new European Union (EU) regulation called the Digital Operational Resilience Act (DORA) – coming into effect in January 2025 – offers a path forward for the financial sector. DORA aims to improve the industry's resilience against ICT (Information and Communication Technology) disruptions, including cyber threats and software malfunctions.

I don't want to extend on diving deep into the regulation, but let me mention its five main pillars because it will help us to understand the importance of adopting DORA:

1. ICT Risk Management: DORA mandates a comprehensive approach to managing Information and Communication Technology (ICT) risks. This includes:
2. Governance and Oversight: DORA emphasizes strong governance and oversight of ICT risk management practices within financial institutions. This includes:
3. Third-Party Vendor Risk Management: DORA recognizes the growing reliance on third-party vendors for critical IT services. It mandates that financial institutions:
4. Incident Reporting: DORA establishes clear requirements for reporting ICT-related incidents to the relevant authorities. This allows regulators to identify trends and take appropriate action to address systemic risks.
5. Testing and Continuous Improvement: DORA emphasizes the importance of regularly testing ICT systems and incident response plans. This helps identify vulnerabilities and ensures the effectiveness of risk management practices. Financial institutions should continuously improve their ICT risk management framework based on lessons learned from incidents and testing.

On the other side, the types of financial institutions DORA regulates include:?

• Credit and payment institutions?
• Electronic money institutions?
• Investment and insurance firms?
• Crypto-asset service providers?
• Alternative investment fund managers?
• Credit rating agencies
• Audit firms
• Crowdfunding service providers?
• Stock exchanges and clearing houses?

Now, let's analyze why a DORA-compliant financial service company wouldn't have suffered the evil effects of the outage. The regulation recognizes that firms are increasingly vulnerable to threats in their supply chains, so DORA also applies to providers of critical ICT third-party services (CTPPs) including cloud, software, data analytics, and data center providers.

While the exact cause of the logic error remains under investigation, it highlights the importance of rigorous testing before deploying software updates, especially those impacting critical security software.

As far as it is known, the outage was caused by a faulty update from a cybersecurity firm called CrowdStrike that malfunctioned on Microsoft Windows systems:

• CrowdStrike Falcon Sensor Software: CrowdStrike offers antivirus and endpoint detection and response (EDR) software, including the Falcon Sensor. This software is designed to monitor and protect devices from cyber threats.
• Faulty Update: On Thursday, July 18th, 2024, CrowdStrike deployed a software update to Falcon Sensor on a large number of Microsoft Windows devices. Unfortunately, this update contained a programming error.
• Logic Error: The specific error was a "logic error" triggered by a sensor configuration update. This essentially means a flaw in the update's code caused unexpected behavior.
• System Crash and Blue Screen: The logic error resulted in a system crash on impacted devices, causing the familiar blue screen of death (BSOD) for many users. This BSOD signifies a critical system error that halts normal operation.

So, how adopting DORA's principles could have helped financial institutions navigate the Microsoft-CrowdStrike outage more effectively seems quite straightforward:

• System Redundancy and Disaster Recovery: DORA emphasizes robust backup systems and disaster recovery plans. A DORA-compliant institution would likely have had alternative systems in place to handle critical operations during the outage.
• Third-Party Vendor Risk Management: DORA mandates stricter oversight of third-party vendors like CrowdStrike. This could have included stricter testing protocols for software updates, potentially preventing the widespread disruption.
• Cybersecurity Best Practices: DORA enforces strong cybersecurity measures. This could involve continuous vulnerability assessments, incident response plans, and employee training – all crucial for minimizing the impact of outages.

While specific data isn't yet available, industry analysts estimate the outage could cause tens of billions of dollars in economic damages, with a significant portion impacting the financial sector. Lost productivity, failed transactions, and customer dissatisfaction all contribute to these potential losses.

Beyond DORA: Additional Considerations for Financial Institutions

While DORA provides a strong foundation for building operational resilience, financial institutions can take further steps to solidify their defenses:

• Scenario Planning: Conducting regular "what-if" exercises that simulate various outage scenarios can help identify vulnerabilities and test recovery plans.
• Industry Collaboration: Sharing best practices and threat intelligence with other financial institutions can strengthen the collective response to technological disruptions.
• Investment in Innovation: Continuous investment in innovative technologies like cloud computing and artificial intelligence can enhance flexibility and adaptability in the face of outages.

By adopting a proactive and multifaceted approach, financial institutions can move beyond simply complying with DORA to becoming truly resilient organizations. This will not only safeguard them from future outages but also position them as leaders in an increasingly digital financial landscape.

Conclusions

The Microsoft-CrowdStrike outage serves as a stark reminder of the vulnerabilities within our interconnected technological world. However, DORA offers a roadmap for financial institutions to strengthen their defenses and emerge more resilient against future disruptions. By adhering to DORA's regulations, financial institutions can build stronger operational resilience. This translates to:

• Reduced Downtime: Faster identification and resolution of disruptions, minimizing downtime and lost productivity.
• Enhanced Customer Experience: Minimized service disruptions ensure a seamless banking experience for customers.
• Improved Reputation: Demonstrating proactive risk management fosters trust and confidence in the financial institution.