Beyond CrowdStrike: What banks can learn from other tech disasters

Enjoy complimentary access to top ideas and insights — selected by our editors.

In the wake of the recent CrowdStrike outage, financial institutions are realizing that there is no perfect way to guard against the next cyber calamity — but they must try anyway.

The Austin, Texas-based cybersecurity firm confirmed that a "sensor configuration update" for its software Falcon Sensor was at the core of the disruption, triggering a "logic error resulting in a system crash and blue screen (BSOD) on impacted systems," according to a July 20 blog post. Further details released this month found that a test designed to catch these errors before they are deployed failed, leading to widespread crashes. 

Those impacted include ICE Mortgage Technology, the $214 billion-asset Fifth Third Bank, TD Bank, the $5 billion-asset Canandaigua National Bank in Canandaigua, New York, and more.

Read more: Poor testing allowed CrowdStrike error to crash millions of computers

Dave Martin, founder and consultant for the advisory firm BankMechanics, told American Banker in July that events like the outage are often theorized when drafting contingencies for worse-case scenarios, but can become reality at a moment's notice — underscoring the importance of planning and learning.

"There is no doubt that bank leaders around the world are right now more focused than ever on contingency plans and backup preparations for a similar disruption to the system," Martin said. "The fact that such an event occurred and impacted so many highlights how truly unforeseen some crises can be."

As events like these become more common across the financial services space — stemming from more than just buggy updates and ransomware attacks — cybersecurity is top of mind for many executives. The consequences of failing to adequately shore up defenses have also evolved.

In the wake of its June cyber attack, the $9.6 billion-asset Patelco Credit Union in Dublin, California, is facing at least four individual lawsuits alleging that the institution stored sensitive member data such as Social Security numbers and addresses in an unsecured format.

Andrew Retrum, managing director and global technology risk and resilience practice lead for the consulting firm Protiviti, highlighted the challenges organizations face when preparing for various worst-case scenarios while stressing the importance of planning.

"While there are an infinite number of scenarios that may impact the business, there are only a small number of notable outcomes [such as] loss of technology, loss of site, unavailable resources [and more]. … Focus on robust response and recovery efforts that define paths forward based on the anticipated negative outcomes," Retrum said.

Read more: Are U.S. banks ready for a major ACH outage?

Other data security experts that weighed in on the CrowdStrike outage agreed on the importance of establishing action plans, including ways to restore operations as quickly as possible.

"They should be preparing to pivot quickly towards alternative systems and service providers as needed, which could even mean reverting to manual processes in some situations," said Kim Phan, a privacy, data security and regulatory compliance partner with Troutman Pepper. "Financial institutions should also socialize these concepts with consumers and make clear that our 'on demand' economy is a privilege, not a right."

Below are in-depth looks at some of the most notable cyber outages that have struck the banking space over the last few years.