INDUSTRY NEWS
Lesson learned from CrowdStrike incident: bolster your vendor due diligence
Few community financial institutions were impacted by the CrowdStrike-induced IT outage earlier this month, but it served as a good reminder to double check licensing agreements and vendors.
Many credit unions and banks will be taking a closer look at their vendors after an IT outage struck businesses around the world July 19.
Some banks, including JPMorgan Chase, experienced disruptions earlier this month after a defective software update from tech company CrowdStrike knocked out Microsoft’s Windows operating system.
The $241 million-asset Landings Credit Union in Tempe, Arizona was not impacted, but President and CEO Brian Lee told Tyfone the incident certainly sparked some conversations.
“We have been digging in a little deeper on our vendor due diligence, both at the start of the relationships and ongoing,” Lee said. “We can’t predict every issue that might pop up, but we want to look at our reliance on any one vendor and think through the scenarios that could come up that would negatively impact our members.”
Lee said the credit union will keep talking about the issue and probably make some changes going forward.
Customers of other financial institutions, including Webster Bank, had accessibility problems during the global technology outage. The bank, which is headquartered in Stamford, Connecticut, said the issues have since been resolved.
“We can’t predict every issue that might pop up, but we want to look at our reliance on any one vendor and think through the scenarios that could come up that would negatively impact our members.”
– Brian Lee
President & CEO
Landings Credit Union
But Steve Heckard, a managing director who leads Artisan Advisor’s core financial technology practice, said there are steps a financial institution can take to limit the financial impact of a catastrophe like the CrowdStrike outage.
Heckard, a specialist in financial technology with extensive experience in IT strategic planning, conversion planning, and operational assessments, said FIs should review all software license agreements to determine if the vendor limits its liability if a similar event should occur.
He said this should become a concern when negotiating all software and service agreements.
“Expand your review to also consider the possibility of a software update containing malware or ransomware,” he said. “Software vendors have access to devices in the network and have often been given permission to install updates remotely.”
Heckard said this concern applies to not only software providers but also service providers – core processing, for instance – that are attached to servers. Any workstation or server attached to a third-party service provider is at risk, he said.
Then FIs should review their institution’s cyber insurance policy to see if it covers such an incident.
“Better yet, discuss this event with the provider of the cyber insurance policy. And ask about coverage if a third-party service is the source of malware,” Heckard said.
Shares of CrowdStrike continue to drop after its major software update problem, Yahoo reported Tuesday.