Experts say the recent CrowdStrike software defect demonstrates how poorly prepared some businesses are to respond to wide-ranging cyber threats. It’s essential for financial services businesses to work out the risk of a full system failure, how much this would cost and practice for this scenario.
In line with the requirements of the Australian Prudential Regulation Authority’s (APRA’s) CPS 234 standard and the upcoming CPS 230 standard, every APRA-regulated bank should have completed analysis to understand the potential impact of a major computer crash caused by a software update on their operations.
ASIC has also recently observed a growing number of cyber attacks on Australian organisations stemming from third-party attacks that exploit weaknesses in an organisations supply chain, giving them easy access to the organisation’s systems and networks.
APRA’s CPS 234 standard requires APRA-regulated entities to implement information security controls to protect their information assets. The CPS 230 standard, which comes in on 1 July 2025, focuses on resilience around operational risks and disruptions.
“We were just lucky the CrowdStrike glitch was not malicious. The fallout is unimaginable if all the computers across the financial system had been locked up due to a rogue nation state targeting our financial system,” says Ashwin Pal, cyber security and privacy risk services partner with accounting firm, RSM.
Pal says preparedness starts with robust disaster recovery and business continuity plans.
“Financial services businesses need to anticipate disruptive scenarios from a business and IT perspective and make sure they’ve done the required drills to be prepared. This will effectively minimise the blast radius and get the business back up and running quickly,” he says.
“It comes back to anticipating, and preparing for, the worst. This starts with an assessment of the business’s critical business processes. Understand how long you can live without those before it has a major impact on your business and your customers. Come up with scenarios that could impact critical business processes. Then come up with a plan B and a plan C and document them."
Practice makes perfect
It's one thing to document what should happen if a system is compromised and another to operationalise these plans. “That’s where many businesses fail,” says Pal.
He recommends banks run regular and comprehensive drills so if another CrowdStrike happens, the organisation is confident it can recover quickly. This includes making sure the technology is in place to bring the system back online quickly.
“Train, train, train. In the armed forces, they are prepared for the worst and they train every day for it, which is why they don't get slaughtered in the field. We need to bring some of those lessons into businesses, so if there’s another CrowdStrike or major nation state attack on our financial system, we’re ready to defend ourselves,” says Pal.
Ultimately, preparing for the next CrowdStrike is the responsibility of the board of directors because it’s their responsibility to manage risk.
“Boards need to start quantifying these risks. The minute a board member has clarity around this, they will take the necessary steps to make sure they de-risk the organisation. Let's say a bank is going to lose $10,000 an hour if the system goes down. Once directors know this, they can work out what they need to do to bridge that gap to increase resilience to a degree where they can recover quickly,” says Pal.
“It’s not realistic to reduce risk to zero. But the bank may be prepared to reduce risk so that complete system failure means they are only losing $1,000 an hour. Obviously, the numbers are going to be much bigger, but you get the point,” he says.
Once the risk is quantified, insurance can be used to transfer the residual risk.
“Then, the bank can start exploring the right policies and negotiate an appropriate premium. But for insurance to be effective in this situation, banks must understand what their exposure is,” says Pal.
While this sounds simple in theory, in practice it’s very complex given calculations need to be made across the bank and its multiple systems.
Digital transformation business Mantel Group’s cybersecurity leader Nick Ellsmore notes some systems have more resilience than others because they have alternative processing paths. For example, when ATMs lose connection to the core banking system, they may continue to work but provide restricted withdrawal limits.
“Most financial institutions should have identified material suppliers and put in place effective supply chain risk management, which have been core parts of APRA’s regulatory regime for many years,” says Ellsmore.
“Banks are required under APRA rules to take the time to investigate, understand and document the business processes and systems used in the organisation, the inter-relationships between these processes and systems and the criticality of them in the context of the overall business,” he adds.
This involves identifying threats to these processes and systems and ensuring plans are established to achieve the required availability of the systems in all reasonable eventualities.
“If there’s a meteor strike, downtime is probably to be expected. But with a failed software update, this is not the case. In practice, of course, with the complexity of modern organisations, addressing this is anything but simple,” Ellsmore says.
Improve your digital systems knowledge
FINSIA's Certificate in Digital and AI Evolution in Banking can help develop your knowledge of digital AI and automated banking, as well as the role Fintech plays in the banking sector.
This certificate provides an understanding of the scope and evolution of digital and AI transformation in banking, and describes a range of digital systems, products and models that operate in banking markets.