CrowdStrike Incident Reinforces Importance of Revisiting BCPs

August 13, 2024

In July, cybersecurity vendor CrowdStrike released a faulty software update, which was estimated to have affected 8.5 million Windows devices. This resulted in a seismic breakdown in critical systems, demonstrating the interconnected nature of our global system—including global cloud providers, software platforms, security vendors, software vendors, and customers.  While various reports of trade outages were made, the outages were luckily resolved.

Although the financial services industry seems to have avoided major disruption from this incident, it should serve as a strong reminder for firms to ensure they have proper steps in place to 1) prevent, and 2) swiftly mitigate a potential business continuity-related outage, should it occur.

What does this mean for me?

First, advisers should compile a list of key systems. For each key system:

1. Evaluate alternative vendors.
2. Confirm data is backed up.
   • Does the vendor back up data, specifically the firm’s data? If so, how often?
   • Consider if the firm needs an independent backup.
   • An independent backup process may need to be implemented for key systems and cloud service providers, regardless of whether such vendors have their own backup processes in place. In determining whether your firm should implement an independent backup process consider obligations under the Books and Records Rule and criticality of the information.  During widespread events like the CrowdStrike outage, firms may be unable to obtain prompt support from the vendor, which could delay access to data.
3. Test your response process through annual tabletop exercises or simulations.

Firms should also review their business continuity plans (BCP) and disaster recovery plans (DRP) on a routine basis to ensure they provide adequate guidance to respond. Additionally, firms should ensure both plans cover the firm’s key systems.

As a general best practice, firms should always be prepared to respond to SEC Examiners regarding BCP and DRP testing. Consider the following questions:

1. Please provide the date of the most recent succession plan review and business continuity testing.
2. Please provide documentation to evidence your BCP test.
3. What actions have you taken since the last event / incident to mitigate similar events from occurring in the future?

Advisers are already facing mounting cybersecurity rules, including Regulation S-ID and recently amended Regulation S-P. Although the proposed Cybersecurity Risk Management Rule has not yet been finalized, cybersecurity-related items have already appeared on SEC Exams, so firms should treat components of the rule as best practices.

If you have any questions or would like to speak with a regulatory expert about your cybersecurity program, let us know.