UK finance firms told to beef up buffers against CrowdStrike-like events

LONDON (Reuters) – Financial companies in Britain must prepare to ensure they can deliver business services in “severe but plausible” scenarios, such as a global tech outage, to minimise any impact on consumers and markets, the markets regulator said on Thursday.

In a statement outlining what lessons could be learned after U.S. cybersecurity firm CrowdStrike’s botched software update caused global chaos in July, the Financial Conduct Authority (FCA) said unregulated third-party problems were the leading cause of operational incidents reported between 2022 and 2023.

CrowdStrike’s popular core technology, the Falcon platform, detects and responds to malicious threats. But an outage on July 19 led to worldwide flight cancellations and hit industries including banks, healthcare, media companies and hotel chains.

The FCA, which checked in with firms over the incident to understand its impact, said consumer harm had been minimal. However, it said companies had until March 2025 to ensure they could withstand such events.

It called on companies to consider a series of steps, including ensuring that testing scenarios were adequate, improving third-party risk controls and ensuring contracts clearly set out responsibilities for service monitoring, incident notification and updates during and after incidents.

“We encourage all firms, regardless of how they were affected by the CrowdStrike incident, to consider these lessons, to improve their ability to respond to and recover from future disruptions,” the FCA said.

(Reporting by Kirstin Ridley; Editing by Emelia Sithole-Matarise)