CrowdStrike outage spurs rethink on ‘critical’ vendors

CrowdStrike was not generally deemed a critical vendor by bank risk teams before last month’s outage—though some now think it perhaps should have been.

“While the assessment of criticality varies by company, CrowdStrike is often seen as a lower-tier vendor,” says a chief information security officer (Ciso) at a large global bank. “What happens with this type of security company is that we see them as utilities and never think of them going down. But in reality, they have the ability to basically turn our computers into useless pieces of hardware and cause widespread disruptions, as the incident showed. So, I think our definitions of ‘critical’ vendors have to change.”

This is not the first time the financial industry’s classification of critical vendors has been called into question. Ion Group, which last year suffered a ransomware attack that disabled some of its services and initially raised systemic risk fears, also wasn’t deemed a critical vendor by most banks.

In an ironic twist, Ion is understood to have deployed an endpoint detection system from CrowdStrike as part of its response to the cyber attack—though there is no indication that the faulty software update disrupted Ion’s services.

Mario Claeys, founder of consultancy Clearing Management & Exchange Solutions, says banks may need to rethink their approach to identifying critical vendors in light of recent events.

They have the ability to basically turn our computers into useless pieces of hardware

Chief information security officer at a large global bank

“There are probably other applications besides CrowdStrike that are not considered ‘critical vendors’ but can still cause the entire industry to crash completely,” he says.

Not everyone agrees changes are necessary, however. “I don’t know any operational resilience framework that could have necessarily prevented this CrowdStrike incident from happening. This is a demonstration of the risks that we probably have to accept,” says Nathaniel Lalone, a partner at the law firm Katten Muchin Rosenman.

Others say the financial industry’s operational resilience frameworks held up during the CrowdStrike outage and could even serve as a model for other industries.

“Given the lack of impact of the CrowdStrike issue on the financial industry, I doubt there’s going to be much reform needed,” says Michael Berman, chief executive at risk and compliance software vendor Ncontracts. “I think other industries, like healthcare and aviation, might pick up what the financial industry has done, because of the robust posture financial organizations already have due to the guidance and regulations that exist for third-party risk that aren’t really in other industries.”

Impossible task

Bank risk managers, though, remain frustrated by the posture of US regulators, who have put the onus entirely on individual banks to monitor critical vendors at all levels—a responsibility that a head of operational risk at a second global bank describes as “extremely hard to manage”.     

Regulatory guidance issued last year in the US further complicates matters, banks say, by leaving the definition of critical vendors vague and open to interpretation. Third-party service providers are deemed critical if their failure to meet expectations would cause a bank to face significant risk, or significantly impact a bank’s financial condition, operations or customers. 

Part of the problem, banks say, is that some of the most critical vendors serve as suppliers to the industry’s core data and technology providers and have no direct relationship with banks themselves. 

While some banks had CrowdStrike software directly installed on their systems, many more were indirectly affected by outages at their direct vendors. Rates trading was disrupted when TP Icap’s pricing streams for government bonds and swaps went down, while some banks also lost access to Bloomberg’s fixed-income trading platform, BBTI, and market data feeds.

Bloomberg confirmed to Risk.net that some clients were unable to access its Terminal and “other services” due to the issues with CrowdStrike.  

Risk.net also understands that HR provider Ceridian and some other software-as-a-service applications used by banks also experienced disruptions.

Given the sheer number of suppliers to firms such as Bloomberg and TP Icap, banks say identifying, assessing and continuously monitoring the critical vendors of their vendors—known as fourth parties—is a near-impossible task.

The fourth wall

Some argue an industry-wide response is needed.

“I wouldn’t necessarily focus on discussing whether we should consider CrowdStrike critical,” says Nita Kohli, a board adviser at Interos, a supply chain risk management company, and former global head of enterprise resilience at Citi. “The broader question is, should we more closely examine our fourth-party providers, assess their level of dependency across the ecosystem, and have some designation of criticality on an industry level against them akin to how we treat financial market utilities?”   

Bank risk managers would like to see US regulators follow the lead of their European counterparts, who are preparing to publish a list of third-party service providers that are deemed to pose a systemic risk to the region. The European Union’s Digital Operational Resilience Act grants regulators the power to demand information from these critical third-party vendors, assess their security and resilience, and ultimately penalize firms that fail to comply.

The US Bank Service Company Act grants the Office of the Comptroller of the Currency similar powers to regulate and examine third-party service providers of banks, though the agency has given no indication that it intends to use that authority.

The list of critical vendors currently being drawn up by EU authorities was not initially expected to cover cyber security software providers, though some think the CrowdStrike outage may change that. “This was a system outage with no evidence of data compromise. But it is a wake-up call that if this was a cyber event, it would have been catastrophic in terms of data compromise, considering how much access CrowdStrike has to organizations’ systems,” says the operational risk head at the second global bank. “So, I am sure regulators will be looking at the concentration of vendors, including CrowdStrike and cloud providers.”

The Ciso at the first global bank says regulators should go even further and issue an industry-level list of critical fourth-party vendors: “We need to take a very close look and ask: ‘What are the software companies we’re using? How many of them have the ability change configurations? How many of them can cause widespread problems if they falsely patch their system?’”

That would be a huge undertaking and will require close collaboration between regulators and practitioners to identify dependencies across the system, the Ciso adds.

Kohli at Interos, though, cautions against going too far. Not all vendors are equal, she says, even if they are in the same category, and it would not be reasonable to classify all cyber security software providers as critical vendors just because the CrowdStrike update caused widespread disruptions.

“If managed at an industry level where there is an increasing level of exposure to systemic risk and contagion, the number of vendors on the critical fourth-party list is not going to be 1,000 nor 100. It should be in the 10s,” says Kohli. 

“There needs to be more transparency on dependencies that vendors and third parties have,” she adds. “That will help [banks to] understand the interconnectivity and manage risk more effectively.”