top of page

Recommendations of the Financial Services Cybersecurity Committee on the CrowdStrike Incident

CrowdStrike pushed out a buggy configuration update on Friday, July 19th, causing a system crash and a blue crash screen (BSoD) on a wide range of devices around the world. Microsoft stated the next day that the incident affected about 8.5 million devices. Several major banks, media outlets, and airlines around the world reported massive IT system crashes and service disruptions.


In Hong Kong, some banks are also CrowdStrike customers, but at the request of the Hong Kong Monetary Authority (HKMA), they have all participated in the Whole Industry Simulation Exercise (WISE) 2023, whereby each of them is required to put in place contingency arrangements to cater for extreme scenarios. Although many practitioners have complained about the harshness of this regulatory requirement, from today's point of view, it's an arrangement that deserves to be recognized. It is hoped that the industry will adopt a bottom-line mentality to cope with all possible extreme situations. The Hong Kong Monetary Authority's continual updating of various codes of conduct, such as SPM OR-2, will help the industry to be able to continue to serve the people of Hong Kong under extreme circumstances.


The Committee would also like to take this opportunity to encourage practitioners to re-examine their Cyber Security Framework and Architecture and not put their eggs in one basket. No matter how reliable that product is, there is always a chance that something will go wrong. Consider Role-based Timed Access Control for all third-party software or other risk-diversification measures to ensure good third-party and supply chain risk management. In the procurement process, we should not hold the mentality of ‘other large organizations also use this solution’ and then take it lightly. Instead, we should consider the IT solution provider's Concentration Risk and Resiliency. If we put all the eggs in one basket, even a minor mistake can have disastrous consequences. In addition, due to the unique nature of this incident (most leading end-user security vendors use something like a ‘software update’ several times a day to deal with new attacks, unlike Signature Updates for traditional protection software), traditional Change Management for Production Environment is not applicable, and adopting a different Signature Update schedule to separate different types of systems is also not applicable. More feasible disaster response options should be considered.


bottom of page