By Luisa Maria Jacinta C. Jocson, Reporter
THE GLOBAL tech outage caused by a botched software update by a cybersecurity firm CrowdStrike Holdings, Inc. has highlighted the need for companies to enhance and strengthen their information technology (IT) contingency plans, analysts said.
“The havoc caused by the Microsoft outage offers a number of lessons regarding the need to regulate the country’s digital transformation,” Leonardo A. Lanzona, Jr., an economics professor at the Ateneo de Manila University, said in an e-mail.
“The incident underscores the need for regulatory oversight to ensure that major technology providers maintain high standards of reliability and security. Regulators may need to establish and enforce guidelines for uptime, redundancy, and disaster recovery plans,” he added.
Operations of airlines, banks, hospitals and other companies around the world were disrupted on July 19 when a software update by CrowdStrike caused problems on devices running Microsoft’s Windows operating systems.
Microsoft in a blog post on Saturday said around 8.5 million Windows devices or less than 1% of all Windows machines were affected by the CrowdStrike update.
The Bangko Sentral ng Pilipinas (BSP) said it was “closely monitoring” the outage’s impact on banks and financial institutions in the country.
“Some BSP-Supervised Financial Institutions (BSFIs) have experienced disruptions but are addressing the issue, while some already restored affected systems,” the central bank said in a statement released late on Friday.
The central bank assured the public that the financial system remains resilient. “The BSP has required affected BSFIs to provide updates and activate their resilience and continuity plans as needed.”
It also noted that its peso real-time gross settlement system was unaffected while other settlements such as PESONet, Instapay, ATM and checks, were completed within the day.
Several domestic banks and airlines reported experiencing disruptions in their operations due to the outage on Friday. Since then, most banks and firms have reported that they have restored their digital channels.
“Critical information systems should always have backups and redundancies. This global outage, which was reported to have happened due to a bad patch, can be managed well by organizations,” Sam Jacoba, founding president of the National Association of Data Protection Officers, said in a Viber message.
Mr. Jacoba said that firms will be able to best cope with disruptions if they can create evolving business continuity plans, conduct regular breach or system downtime drills and prepare a “back-to-manual” plan for worst-case scenarios.
“We still haven’t seen the economic, societal and direct impact to the lives of people directly affected by the outage (i.e. healthcare systems), but the technology companies involved can expect lawsuits to come from various organizations that were impacted by the outage,” he added.
On the regulatory side, Mr. Lanzona said that there must be “clearer and more robust service level agreements (SLAs) that define the rights and remedies for customers in the event of service disruptions.”
“There may also be a need for regulations requiring greater transparency from service providers regarding the causes of outages, response efforts, and measures taken to prevent future incidents. This can help build trust and allow consumers to make more informed decisions,” he said.
Mr. Lanzona also noted that diversifying service providers would also prevent the incidence of a massive shutdown across sectors.
“The source of the problem is the concentration of market power in a few large providers like Microsoft,” he said.
“Encouraging competition and reducing barriers to entry for smaller or alternative providers can help mitigate the risk of widespread disruption due to a single provider’s outage.”
Meanwhile, Terry L. Ridon, a public investment analyst and convenor of think tank InfraWatch PH, said CrowdStrike now needs to address the concerns of clients who were affected by the faulty software update.
“The burden is now on CrowdStrike on how it can assuage its numerous clients for the security and reputational risks which had resulted from their faulty software update,” he said in an e-mail. “It should do this promptly or else its clients will look to other firms which can provide a similar or equivalent service.”
George Kurtz, CrowdStrike founder and chief executive officer, said on Friday that the company has identified the issue and deployed a fix for the failed software update.
“The outage was caused by a defect found in a Falcon content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack,” he said on X.
Mr. Kurtz said that the CrowdStrike team will “provide full transparency on how this occurred and steps we’re taking to prevent anything like this from happening again.”