On 31 March 2022, the FCA introduced new rules for regulated firms about operational resilience. By no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances. 

The importance of these rules was illustrated by the CrowdStrike outage on 19 July 2024. CrowdStrike released a Falcon content update for Microsoft Windows hosts, with a defect that caused systems to crash. Many firms use CrowdStrike for device protection, threat intelligence and response services. CrowdStrike's core technology, the Falcon Platform, detects and responds to malicious threats. As CrowdStrike is widely used, the FCA saw varying degrees of operational impact on regulated firms, with no sector more affected than others, and minimal consumer harm.

The FCA engaged with firms during the incident to understand the impact on firms and the market, operational responses, and recovery. Following the restoration of services, it engaged with firms to better understand the lessons learnt.

Summary of findings

By investing in operational resilience and following the FCA’s operational resilience rules, firms were able to identify consumer and market impacts and prioritise their important business services.

Firms that had mapped their important business services, and the resources necessary to deliver these services, were able to prioritise getting key services back online to reduce the overall impact the incident had on their operations.

Organisations benefitted from having tested scenarios that were severe but plausible, including those affecting multiple important business services at the same time.

Firms who had clearly defined and tested communications strategies were able to quickly and efficiently respond to, and communicate with, customers and stakeholders.

Next steps

If you are regulated by the FCA, it is advisable to consider if your current testing scenarios are adequate and assure yourselves that impact would be minimised during operational disruptions.