Articles | Ethics & Compliance | LRN

The importance of supply chain due diligence, training, and operational resilience: Lessons from the DOJ, FCA, and the CrowdStrike outage

Written by Ty Francis MBE, CCEP | Chief Advisory Officer | Nov 6, 2024 10:09:59 PM

The recent lawsuit by Delta Airlines against CrowdStrike for over $500 million in damages following its widespread flight cancellations highlights just how critical the reliance on third-party technology suppliers has become. The July 2024 CrowdStrike incident, which disrupted operations across multiple sectors, including airlines, banking and healthcare, emphasizes how unregulated or unvetted third-party suppliers can pose substantial risks to business continuity. As the Financial Conduct Authority (FCA) reminds us, businesses must focus on mitigating such risks, particularly as firms increasingly rely on external technology providers. 

The FCA has made it crystal clear that financial services firms must demonstrate what they see as operational resilience by March 31, 2025. Specifically, regulated firms are required to ensure they can continue delivering critical business services during severe but plausible disruptions. The FCA's operational resilience rules emphasize the importance of identifying key business services, setting impact tolerances, and conducting regular testing to prepare for worst-case scenarios. As the CrowdStrike incident showed us, operational resilience isn’t just a technical issue, it’s a necessity for business survival. Firms must not only understand the potential risks their third-party suppliers pose but also have clear contingency plans in place. 

This challenge echoes the recent U.S. Department of Justice’s (DOJ) 2024 guidance on corporate compliance, which places heavy emphasis on ongoing third-party due diligence. The DOJ’s guidance urges companies to proactively vet and monitor third-party relationships to ensure compliance with both legal requirements and corporate ethical standards. However, this isn’t just about initial risk assessments—continuous oversight is necessary, especially with technology partners who can significantly impact operations. 

An essential element in strengthening third-party relationships is supplier training. While not legally mandated, supplier training is a best practice for any organization serious about mitigating supply chain risk. As I discussed in a recent article, training solutions for suppliers play a pivotal role in reinforcing the ethical and compliance expectations that underpin a company’s operations. For instance, LRN’s Third-Party Supplier Training Solution ensures that suppliers fully understand a company’s code of conduct and compliance obligations, aligning them with the company’s values and reducing the likelihood of introducing operational or ethical risks. 

The FCA’s operational resilience rules emphasize the need for firms to strengthen their controls over third-party risks. Testing these relationships and ensuring they have robust incident notification procedures is crucial, but this effort must be paired with comprehensive supplier training. Considering the CrowdStrike outage, it’s clear that an organization's operational resilience depends not only on its own systems but on the capabilities and ethical integrity of its suppliers. Supplier training reinforces the importance of these expectations and prepares both parties to handle disruptions effectively. 

At the heart of the FCA’s operational resilience rules and the DOJ’s updated guidance is a common message: firms must ensure their supply chains can withstand disruptions while upholding their ethical and legal standards. By integrating third-party due diligence with rigorous training and operational resilience planning, companies can better manage the growing complexity of their digital supply chains. A holistic approach that combines these elements is critical for mitigating risks and ensuring business continuity in a world where technology crises, like the CrowdStrike outage, can have far-reaching impacts. 

The FCA’s deadline of March 31, 2025, serves as a clear reminder for financial firms to bolster their operational resilience. Companies need to focus on testing severe but plausible scenarios while establishing clear impact tolerances to ensure they can continue providing essential services during a crisis. Training third parties not only helps mitigate these risks but ensures that the company’s ethics and compliance standards are upheld, or at least cascaded throughout the supply chain. In this sense, supplier training becomes an extension of a company’s resilience strategy, ensuring partners are well-equipped to handle disruptions. 

The CrowdStrike incident should serve as a wake-up call for all businesses. In a landscape where technological disruptions can cripple industries, firms must take a proactive approach to both operational resilience and third-party risk management. By combining ongoing due diligence, comprehensive training, and robust resilience testing, companies can ensure that they are well-prepared to navigate future challenges.