Companies and consumers across the globe experienced difficulties and delays Friday as Microsoft systems experienced issues reportedly linked to a defective software update from cybersecurity provider CrowdStrike. 

While the specifics of the event continue to unfold, in any case, the news underscores the need for businesses (and all organizations) to maintain strong, proactive third-party risk management (TPRM), as well as business continuity planning. 

Today’s modern organization needs to clearly understand their third-party landscape, including the risk factors and potential impacts resulting from various types of third-party events, many of which the contracting business may not have direct control over: cyberattacks, natural disasters, utility failures, and more.  

A particular lesson here is to make sure that risk management does not overlook risks tied to “systemically important vendor enterprises” (SIVEs), this type of dominant third-party provider to an economy or sector. These vendors may seem “too big to fail,” but it does happen, and when it does, it not only directly impacts the primary business but also disrupts an entire marketplace and creates numerous knock-on effects, such as what we are witnessing now with the CrowdStrike disruptions to Microsoft leading to airlines canceling flights. 

How can my organization protect against third-party disruption?  

Take this opportunity to review basic TPRM “good hygiene” principles, and make sure you are well-positioned to actively manage these risks over the long term: 

• Confirm and enhance your organization’s overall understanding of third-party risk management, and the underlying risk factors both a company and the vendor need to manage. 
• Conduct regular, thorough reviews of your third-party relationships and how their adverse events may disrupt your business, and develop mitigation plans accordingly. 
• Make sure your third-party contracting and overall contractual language define performance requirements from technology vendors, as an example – e.g., have they conducted proper testing of their systems and updates? – along with requiring adequate indemnification and insurance protection for your business. 
• Institute relevant and “fit for purpose” business continuity planning, with robust scenario analysis and testing. For example, what backups do you have for key systems if they go down for an extended period of time? In the event of a faulty software update, are you able to quickly revert to a previous version? 

Thorough, comprehensive third-party risk management enhances your organization’s resilience in today’s connected, uncertain world. Reach out to our Risk and Cybersecurity teams to learn more or get started.