Contents
Crowdstrike's outage highlighted a technology risk outside the more widely discussed cyber-security risks: third party supplier reliance. This dependency risk is well-recognised in the financial sector where participants and regulators are continually challenged to further mitigate digital supply chain risk.
The scale of disruption caused by the Crowdstrike outage generated worldwide attention, which we expect will echo into further regulatory scrutiny on the financial sector’s third party supplier risk in New Zealand and globally.
Regulatory response
Even before Crowdstrike, 2024 had seen a notable increase in regulator concerns about digital supply chains.
- The Basel-based Bank for International Settlements (BIS) is reconsidering its 2005 advice on use of third-party service providers (TPSPs) noting that “ongoing digitalisation has led to a rapid adoption of innovative approaches, which has increased banks’ dependency on TPSPs for services that banks had not previously undertaken”. The consultation emphasises “appropriate risk management of banks’ TPSP arrangements, supply chain (ie nth parties) and concentration risk arising therefrom” to “enhance banks’ ability to withstand, adapt to and recover from operational disruption and thereby mitigate the impact of potentially severe disruptive events”.
- FINMA (the Swiss equivalent of the Financial Markets Authority) published new guidance in June 2024, including findings from its supervisory role and scenario-based cyber risk scenarios.
- The US National Institute of Standards and Technology (NIST) published version 2.0 of its Cybersecurity Framework in February this year, increasing the focus on supply chain risk management. The Reserve Bank of New Zealand (RBNZ) expressly referred to the NIST framework in developing its own cyber-resilience guidance.
- The RBNZ recently completed a cyber resilience review and imposed mandatory cyber resilience reporting on regulated entities from April this year. The RBNZ also imposes strict outsourcing rules on New Zealand’s largest banks. These outsourcing rules came into full effect in late 2023.
The regulatory challenge
Since the 2008 Global Financial Crisis triggered by sub-prime mortgage failures, financial sector regulators have focussed on trying to identify risks seeping through the global financial system, creating single points of failure and threatening financial stability.
The digital supply chain is one such growing risk. Increasing interconnectedness comes with direct and indirect reliance on hundreds of thousands of different providers and pieces of software.
The FINMA findings have reverberations for New Zealand. FINMA noted that over the last several years, more than 50% of all successful attacks on supervised entities originated within the entity’s supply chain. Yet the cybersecurity safeguards required of these service providers were often unclear and inadequately enforced.
“Very often the supervised institutions did not have a full inventory of their service providers. They did not have information about whether critical data was stored at a service provider, or they were performing a critical function. Hence supervised institutions often only carried out insufficient audits, or no regular assessments at all, of such service providers.”
These comments reflect dynamics inherent to the financial institution/global cybersecurity provider relationship. They will apply as much to New Zealand as to Switzerland.
The RBNZ is, in some ways, ahead of the curve with its BS11 outsourcing restrictions on large banks and its cyber-resiliency guidelines on the wider population of regulated financial institutions. These guidelines require regulated entities identify key service provider risk and points of exposure within their business continuity plans (BCPs), and ensure its cyber incident response aligns with service provider BCPs. That said, complying with these requirements did not, and currently could not, address the Crowdstrike failure.
Best practice often dictates that regulated entities use market leading providers for critical services. Crowdstrike is a recognised market leading provider. But global market dynamics for technology services concentrate expertise in a relatively small number of critical providers. Contractual provisions to avoid vendor lock-in cannot provide practical solutions when there is only one feasible vendor.
Observations on what next
The Crowdstrike outage will have repercussions in New Zealand beyond repairing the immediate damage. We expect these repercussions will include:
- A stronger regulatory focus on managing risks inherent to open banking, particularly as the Customer and Product Data Right Bill progresses through Select Committee and other financial service innovations, such as the RBNZ’s development of digital cash
- Increased RBNZ interest in understanding how banks monitor and assess their third-party service providers. We expect to see cyber resilience considerations reflected in the Deposit Takers Act standards, which will impact director due diligence duties. Properly addressing supply chain risk requires more than simply requiring regulated entities have proper BCPs or contractually avoid vendor lock-in
Directors should consider how digital supply chain risk is covered by their existing cybersecurity processes. Where processes only address cybersecurity and don’t consider exposure to third party suppliers more broadly, directors should consider how much more can be done (or that regulators may expect to be done or evidenced) to continue minimising exposure risk as technology evolves and digital solutions move from optional add on to critical.
Banks are under intense pressure to facilitate innovation and increase competition in the financial services market. That pressure is exacerbated by sometimes outdated regulatory oversight requirements and core technology system challenges. New technology projects often take many years to complete. The Crowdstrike outage reminds us that fully understanding your digital supply chain is critical to successfully managing and mitigating risks.