The major blow to global technology systems inflicted by cybersecurity firm CrowdStrike’s botched update last Friday had little or no effect on the treasury, finance and risk management teams run by NeuGroup members who responded to inquiries by NeuGroup Insights this week.
- “We were not impacted in a material way,” one treasurer said. “It did not impact treasury or the financial close—preparation for our quarterly earnings announcement and 10-Q filing.”
- In addition, some teams used the tech outage to test their business continuity plans (BCPs), taking advantage of what turned out to be a nonevent for many into an opportunity to review how prepared they are for more serious crises.
- “The issues were minor and BCPs largely kept things flowing,” said one treasurer of a mega-cap corporate. “Our prior experiences with Covid, 9/11, financial crises, etc., continue to pay dividends as we anticipate these unexpected challenges.”
Vendor problems. Most issues members experienced involved vendors, including banks. But these problems didn’t last long. For example, a FX risk manager whose team uses a tech solution to confirm FX trade details with counterparties said, “There was a brief impact to our third-party confirmations system which was restored around 9 a.m.”
- Also, one bank told this member it had “turned auto-pricing off.” The member explained that the computer models of bank counterparties auto-populate pricing within a FX trading platform for short-dated trades, streamlining pricing on simple, low-risk trades. Longer-dated, more complex trades are priced manually.
- “The bank didn’t give a reason for why they turned it off, but said they did because of the outage,” the member said. “But it did not impact our trading. So overall for us, the impact was quite limited and did not affect our ability to hedge.”
- One treasurer said, “We got a message from one of our primary FX banks mentioning that some of the aggregator multi-bank platforms were having issues early in the day, but the trading desks were operating.” She said the bank did not name the vendors having issues. Regardless, “We were not super active in the FX markets last Friday and all banking and external service providers operated as expected.”
- Said another treasurer: “There was some friction with our FX banks but we were able to manage many of our FX exposures internally with our in-house bank while our FX banks were getting back to business as usual.”
- One treasury team member was locked out of a bank portal. “Their portal was actually out for quite some time,” they said. “And then a lot of our overnight file transmissions were interrupted. So I would say everything’s kind of back to normal now, but we had some minor inconveniences.”
Banks wait a bit longer. Bank treasurers who are members of NeuGroup for Regional Bank Treasury also described manageable issues that were resolved relatively quickly, if not as fast as what corporate treasurers reported. “We had limited internal and vendor issues in the morning, including our wire system. They were all up and running by 10:30 a.m.,” one bank treasurer said. - However, he added, “Our core provider had more issues, including their teller system. While online banking, mobile and ATMs were all functioning with no issues, we did have to pivot to manual processing in the branches for any teller transactions. That was cleared and all systems were fully online by 1:30 p.m. No customer related issues were reported.”
- Another bank treasurer said in an email, “A number of our systems/vendors were impacted, but minimal issues with all customer-impacting items cleared before noon on Friday. No lingering impact.”
Business continuity and contingency funding plans. Some treasury and risk management teams at corporates and banks put the CrowdStrike debacle to good use by evaluating their preparedness for a crisis. “As the news came out, we lit up aspects of our business continuity plan to make contacts, assess activities and stay on alert,” said one AT responsible for FX risk management. “But ultimately it all passed fairly quickly and by noon it was mostly forgotten.”
- One head of internal audit and enterprise risk management said his company’s IT team proved its prowess. “We have both function-specific BCPs as well as a corporate crisis management team that is activated for major incidents. The IT team dealt with the issues so effectively via their BCP processes that it was deemed unnecessary to activate the corporate crisis management process. While there were certainly pockets of problems, it was not widespread.”
- One bank used the tech outage to test its funding resiliency. “In an abundance of caution, we did launch our contingency funding plan (CFP) first thing on Friday morning,” the treasurer said. “We don’t get to exercise that plan very often, so we tend to lean toward activating it, partly to demonstrate to our regulators that it works and we are thoughtful about it, and partly to build muscle memory for the treasury and executive team.”
- He added, “Even though we talked with our key funding partners early on, we did a small draw from the Federal Reserve’s Discount Window just to make sure that they were functioning with no issues. We exited from CFP mode on Monday morning after affirming that no further system issues arose over the weekend and no other banks were having any issues that could cause risk of contagion.”
