Following the CrowdStrike IT outage, new research has uncovered a critical vulnerability in financial institutions when it comes to supply chain resilience. The outage has highlighted the need for greater digital supply chain resilience, especially in critical sectors such as financial services.
Overview of the differences in approaches for on-premise and cloud applications (Source: report by Escode and CeFPro)
However, despite strong pressure from financial regulators to embed this approach at all levels, only a minority of financial institutions currently meet the legal requirements for third-party risk management.
Only 20.8 percent of financial professionals say that most of their contracts with third parties, including those with software suppliers, include stress-free exit plans, according to a report by Escode and CeFPro.
As financial services become increasingly reliant on complex third-party IT ecosystems, the risks associated with supplier disruptions have increased. Regulators around the world, from the Bank of England to the Office of the Comptroller of the Currency, have issued strict guidelines to improve third-party risk management and ultimately improve the operational resilience of the entire financial sector.
One of the most comprehensive examples is the European Union’s Digital Operational Resilience Act (DORA), which requires the inclusion of stress exit plans in all third-party ICT licensing agreements to prevent supplier failures – from cloud outages to the bankruptcy of software companies – from massively disrupting the financial services sector.
But despite this global regulatory push – DORA is due to be implemented by January 17, 2025 – the new survey suggests the industry needs to be better prepared. Only a fifth of professionals surveyed worldwide said they had stress-free exit plans for 76-100% of licensing agreements, while just under half said they had them for 0-10% of agreements. Only 18.7% of respondents expressed “full confidence” in their current stress-free third-party exit plans.
This news comes at a time when financial institutions may face devastating material damage due to supply chain failures.
Just over a month ago, 500,000 members of Australian superannuation fund UniSuper were unable to access their accounts after a “one-time” Google Cloud misconfiguration resulted in the deletion of the provider’s private cloud account.
The financial industry is facing a pivotal moment to strengthen its supply chain management practices. Regulatory pressures are mounting – creating challenges that burden institutions and their customers. It is troubling that there is still significant variation in the industry’s approach to third-party governance – especially in light of events like the CrowdStrike outage. As these institutions become increasingly digitally dependent, often on a number of third-party providers, steps must be taken to mitigate the impact of disruptions at any point in the supply chain,” said Wayne Scott, Regulatory Compliance Solutions Lead at Escode.
“The fact that only a fraction of institutions have robust exit plans in place in the event of a crisis is truly worrying. It’s not about ignoring recommendations, but rather about better supporting and training on these important measures. This can be done, for example, by ensuring access to key information in the event of supplier failures and rigorous scenario testing to identify vulnerabilities, or using escrow arrangements when working with software suppliers, which regulators recognise as ‘actively considering’ in their recommendations. It’s about taking a preventative, detective approach – ultimately the only way the industry can withstand the increasingly complex risk landscape it faces.”
