This morning CrowdStrike CEO George Kurtz reported that 97% of the Windows sensors knocked out during CrowdStrike’s botched software update a little over a week ago are back online. That’s great news for those companies still reeling from one of the biggest IT outages in history.
When it comes to cybersecurity companies, CrowdStrike is widely considered to be a belle of the ball. Here’s wealth manager Josh Brown, a shareholder in the company since 2020, bringing the roses less than a year ago:
You can talk as much about cloud and mobile and social and machine learning and distributed computing and generative AI as you’d like, if you can’t secure your data and provide safe access to users, you have nothing. Literally ….
Spending on top-of-the-line security solutions has now been enshrined into securities law, in addition to all the other reasons to take this stuff seriously, such as not getting sued into the stone age by your customers or forced to make Bitcoin ransom payments to international cyber terrorists ….
As a business manager, you would cut IT spending on literally anything else first. A small handful of publicly traded companies have what I consider to be a massive runway ahead of them. CrowdStrike is aiming to become the Salesforce of the industry.
To recap: Friday morning, July 19, a bug in a CrowdStrike software update resulted in major IT outages that grounded flights and brought chaos to banks and other businesses around the world.
“CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts,” CrowdStrike’s Kurtz wrote on the social media platform X the morning afterward. “Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated, and a fix has been deployed.”
As we learn more about exactly what happened, is there a particular insight here for banks, fintechs and financial services companies? At a time of heightened concern over third-party risk in our industry, the CrowdStrike outage is yet another reminder of the importance of not only choosing technology partners carefully, but also of ensuring resiliency in the event of an issue with a partner.
The latter is especially pertinent here. Many of the challenges and controversies with regard to third-party risk management in financial services involve the latter, vetting issue, primarily. A signature example is the case of Synapse, the fintech whose allegedly improper handling of customer funds led to more than 200,000 users losing access to their money and numerous disputes with banking partners. CrowdStrike is being accused of no such malfeasance and will, in all likelihood, remain a major player in the cybersecurity industry, with its reputation scratched perhaps but probably not scarred.
That leaves us with resiliency. In banking, the definition of resiliency has expanded significantly in recent years. From the failures of the banking crisis to the strains of the COVID-19 pandemic and accompanying economic slowdown a little over a decade later, banks have dealt with major challenges to both financial and operational resiliency.
The CrowdStrike outage represented a different type of disruption, and one that may be less amenable to the solutions that have ensured bank resiliency in the past (i.e., leadership, talent, and technology). Given many of the common complaints when technology disappoints, it’s worth wondering if we should look at ourselves, not just our institutions, for greater “resiliency.”
To this end, compare the CrowdStrike outage to the AT&T breach this spring. Unlike with CrowdStrike, AT&T reported that “AT&T data-specific fields were contained in a data set released on the dark web.” The breach did not allegedly have “a material impact on AT&T operations.” But it did represent the kind of security challenge that cybersecurity companies are built to prevent, and that banks and financial services companies need to be prepared for. When I read “released on the dark web,” I thought of Finovate Best of Show winner SpyCloud, the Austin, Texas-based cybersecurity company that specializes in retrieving stolen credentials from the dark web.
And it appears as if more and more banks and financial institutions are getting the message. In the past few years, companies like Corsound AI (FinovateEurope 2024 Best of Show winner) to 1Kosmos (FinovateSpring 2023 Best of Show winner) have stood out among fellow fintechs for their innovations in everything from deepfake detection to passwordless authentication. As FinovateFall 2024 draws near, it will be interesting to see what innovations the current crop of cybersecurity specialists bring to the current challenges faced by banks and financial services companies alike.
For more insights on the CrowdStrike outage and its potential implications for financial services, check out 4 Implications of CrowdStrike’s Faulty Software Update by Finovate Senior Research Analyst Julie Muhn.