Survey of finance professionals uncovers critical gaps in regulatory compliance
In the aftermath of the CrowdStrike IT outage, new research has uncovered a critical vulnerability within financial institutions regarding supply chain resilience.
The July outage, which saw thousands of businesses across the globe grind to a halt as a result of a faulty software update, has demonstrated the need for greater digital supply chain resilience, particularly in critical sectors such as financial services.
Yet despite a strong push from financial regulators to embed this at all levels, it seems that only a minority of financial organisations currently adhere to regulatory requirements around third party risk management.
A mere 20.8% of financial professionals report having stressed exit plans in place within the majority of their third party agreements, including software suppliers.
The stark revelations come from the Supplier Stability in Operational Resilience report, commissioned by Escode, the global leader in software escrow solutions, and CeFPro, an international research organisation focused on the financial services sector.
With financial services increasingly reliant on complex third party IT ecosystems, the risks associated with supplier disruption have been heightened. Regulatory bodies worldwide, from the Bank of England to the Office of the Comptroller of the Currency, have issued stringent guidelines to enhance third party risk management to ultimately embed better operational resilience across the financial sector.
One of the most in-depth examples includes the European Union’s Digital Operational Resilience Act (DORA). It advocates for the inclusion of stressed exit plans in all ICT third party license agreements to prevent supplier failure – from cloud outages to software companies folding – majorly disrupting the financial service sector.
Yet despite this global regulatory push – with DORA due to be implemented by January 17, 2025 – the new survey suggests the industry remains alarmingly underprepared. Only a fifth of global professionals surveyed reported having stressed exit plans in place for 76-100% of license agreements, with just under a half reporting these were in place for 0-10% of agreements. A mere 18.7% of respondents expressed ‘complete confidence’ in their current third party stressed exit plans.
The news comes as financial institutions continue to suffer potentially devastating material impacts due to supply chain failure.
Just over a month ago, 500,000 members of an Australian superannuation fund, UniSuper, were unable to access accounts after a ‘one-of-a-kind’ Google Cloud misconfiguration led to the provider’s private cloud account being deleted.
Wayne Scott, regulatory compliance solutions lead at Escode, commented: “The financial industry faces a pivotal moment to fortify its supply chain management practices. Regulatory pressures are intensifying–and creating challenges that strain institutions and their customers. It is troubling that there is still considerable variability in how third party governance is approached across the industry – particularly in light of events such as the CrowdStrike outage. As these institutions become more digitally reliant, often on a number of third party suppliers, action must be taken to mitigate the impact of disruption from one point of a supply chain.”
“The fact that only a fraction of institutions have robust stressed exit plans is cause for real concern. It’s not a matter of neglecting recommendations, but rather a need for better support and education on implementing these critical measures. Whether that’s from ensuring access to vital information during supplier failures and rigorous scenario testing to identify weaknesses, to the use of escrow agreements when working with software suppliers – which regulators have noted as for ‘active consideration’ in their recommendations. This is about taking a preventative, detective approach – ultimately the only way the industry can withstand the increasingly complex risk landscape it faces.”
Andreas Simou, managing director at CeFPro, says: “The recent CrowdStrike outage underscores the essential need for comprehensive third-party risk oversight and management. Our findings reveal that significant work is needed in TPRM, with half of the respondent’s lacking confidence in meeting regulatory compliance demands. With increasing scrutiny and regulatory pressures, including the EU’s DORA, it is imperative to ask: How prepared are financial organizations for the numerous risks on the horizon, and what needs to happen for us to overcome this?”
The Supplier Stability in Operational Resilience report draws from a survey of 107 respondents within financial institutions across the UK, North America, and Europe, supplemented by expert interviews. You can download the report here.