Setting the scene
In July 2024, a flawed software update in CrowdStrike’s endpoint protection suite caused major system outages for many organisations worldwide. Instead of defending against threats, the updated software mistakenly triggered repeated system crashes. Although CrowdStrike is widely used and well established in the cyber security space, this event highlighted how a single technical error in a product can disrupt thousands of businesses in a matter of hours. In an age of increasing digital complexity, the incident has prompted many to examine how prepared they are for unexpected problems in their technology supply chain, particularly now that laws like the Digital Operational Resilience Act (DORA) and the Network and Information Security (NIS2) Directive may reshape how companies manage these risks in Europe.
What happened and why it matters
The outage stemmed from a routine update to CrowdStrike’s software client that overloaded Windows-based systems. By design, endpoint security tools run deep within an operating system to detect anomalous activity. When there is a hidden bug at that level, it can cause a system-wide crash. Countless corporate PCs and servers failed or entered continuous reboot loops and the cyber security world scrambled to diagnose the cause and revert the flawed update.
This became especially serious in part because so many organisations worldwide use CrowdStrike technology. Even critical infrastructure sectors, such as aviation and healthcare, experienced disruption. Although it might seem that the obvious conclusion to draw from the incident is that it is problematic to rely on a single vendor (or small number of vendors), the presence of one widely recognised provider may counterintuitively have helped responders in this case quickly pinpoint the root cause of the outage. In a more fragmented environment, systems are often just as interconnected and vulnerable to cascading issues, but identifying exactly which system or provider triggered an outage can be more complicated and time-consuming. At the same time, this incident highlights how quickly a flaw can scale up when a global update is issued (as we discuss in the context of key lessons below).
Financial services, in particular, arguably did not experience the level of crisis that might have been expected if a core banking platform had been severely compromised. While some banks and insurers had serious outages, others caught the issue early or postponed the update. Some systems went offline, but there were very limited or no reports of permanent data loss or critical transaction failures.
Impact on financial services
Banks and other financial institutions typically have strict operational processes, driven by regulatory demands and the need to protect vital services. Although some experienced short-term issues in user-facing applications, most were able to roll back the update or apply an emergency patch relatively quickly. Backup plans and strong change control processes meant that if the update affected only a test group of machines, the institution could halt the rollout before it reached the entire workforce.
Another important factor was the focus on customer communication. Institutions that suffered short outages generally reassured clients that funds were secure and that the service interruption was temporary. Because banks and insurers routinely prepare for various disaster scenarios, many had alternative routes to deliver critical functions. This planning is in part a reflection of the regulatory emphasis on resilience.
Although the disruption generated unexpected costs - involving IT response teams, reboots, and lost productivity - financial services as a sector managed to avoid a system-wide meltdown. This was serious enough to show how dependent modern banking can be on third-party tools, but it did not escalate into a real financial stability event.
Role of evolving regulations
The EU’s recent focus on third-party and supply chain risk may look especially relevant in view of this incident. For example, DORA introduces obligations around how financial entities must monitor and test important third-party relationships and maintain backup arrangements if a supplier fails. The NIS2 Directive also widens the scope for mandatory cyber security measures and incident reporting for both essential and important entities, including large financial institutions, digital providers, and software vendors.
Meanwhile, UK regulators - led by the FCA – continue to emphasise operational resilience, urging in-scope firms to define how they will operate through disruptions and communicate with regulators and customers promptly.
Outside financial services, more regulation is on the way. The UK government plans to introduce the Cyber Security and Resilience Bill to Parliament in 2025, to protect a broader range of essential digital services. It's expected to widen the scope of the UK Network and Information System Regulations 2018 to capture more digital services and supply chains, and include broader measures to ensure implementation of cyber security measures and reporting of cyber attacks.
Key lessons for tech providers and institutions
Phased deployment – foremost among the lessons from the CrowdStrike incident is the need for careful testing and phased deployment of software updates, particularly those that run at the operating system’s core. Phased or staggered releases make it much less likely that a single bug will cascade across entire organisations.
Incident response plans – another lesson lies in having a workable incident response plan. Organisations that had an updated plan knew the right escalation points, how to revert the software, and how to keep customers informed. Well managed communication is a sometimes overlooked aspect of cyber resilience planning, since good communication is vital to maintaining trust – with internal teams, clients, and regulators, but also with the market, which in the context of financial services is a critical aspect of an institution's resilience in a more holistic sense.
Vendor management – contractual arrangements also play a key role. Even if a supplier is not viewed as “critical,” its services can still be integral. Many institutions are now reviewing how their contracts address responsibilities, liabilities, and vendor support during unplanned outages. In a regulatory environment that imposes clear obligations on business continuity and risk management, it is not enough to rely solely on a provider’s reputation (although this should still be a factor). Fortunately for many of the technology industry's players, this can present an opportunity since they are well placed to provide the kinds of technical measures that mitigate the risk of these kinds of incidents – from service reporting, to flexible deployment, to redundant capacity.
Communication as a resilience tool – CrowdStrike also illustrates that complexity and interdependence can come with their own risks and benefits. Having a single leading provider, in some respects, made the technical glitch easier to trace back to its source. Yet a rapid, global deployment allowed the problem to spread widely in a short time, so there has to be a balance. Organisations can draw their own operational strategies from this, but what is clear is that a one-size-fits-all approach will likely not work and businesses need to interpret not only the threat landscape but the regulatory framework evolving in Europe in a way which is relevant and proportionate to the risks they identify.
