Critical Vendors, Critical Risks: Lessons From CrowdStrike

Last summer’s botched software update from cybersecurity firm CrowdStrike froze millions of Microsoft Windows machines globally and disrupted essential services in banking, healthcare, and government—and serves as a stark reminder of the risks tied to critical third-party vendors. For banks reliant on external technology providers, this incident underscores the need for a strong third-party risk management (TPRM) framework. In her RMA Journal article, Amina Seini, affiliate risk consultant at Wells Fargo, outlines key practices to help banks mitigate these risks. Here are some highlights: 

• Understand your ecosystem. Financial institutions interact with a network of direct and indirect third parties, also known as “nth” parties. The OCC and FDIC provide guidance on assessing these relationships, enabling banks to evaluate risks throughout each relationship’s lifecycle. Knowing your ecosystem is crucial for effective TPRM. 

• Minimize dependencies. The CrowdStrike incident revealed how fragile networks can be when dominated by a few providers. Banks should use dependency mapping to identify critical dependencies within their vendor networks, allowing them to monitor and manage potential vulnerabilities proactively. 

• Establish business continuity planning for critical vendors. Differentiating between critical and high-risk vendors allows banks to allocate risk management resources effectively. Critical vendors support essential functions, while high-risk vendors pose specific risks regardless of their operational importance. A strong business continuity plan includes conducting business impact analyses, preparing recovery plans, and testing regularly to keep operations steady if disruptions occur. 

In a world where disruptions are inevitable, Seini’s recommendations provide a roadmap for banks to prepare and protect against future third-party risks. For more insights, check out the full article and additional strategies.