FINRA has issued a cybersecurity alert concerning a recent CrowdStrike service outage that has impacted Microsoft operating systems. This disruption, which began on July 19, 2024, is linked to a software update affecting CrowdStrike’s Falcon software. The Cyber and Analytics Unit (CAU) within FINRA’s Member Supervision program is actively monitoring the situation.

Details of the Outage

On July 19, 2024, CrowdStrike publicly disclosed an outage caused by a software update, which resulted in widespread disruptions for Microsoft Windows devices utilizing the Falcon software. According to CrowdStrike CEO George Kurtz, “this is not a security incident or cyberattack” but rather a service-related disruption. The company has since provided updates and troubleshooting guidance to assist affected customers.

Potential Secondary Risks

Given the scale of this disruption, member firms should be vigilant for secondary risks. Cybercriminals may exploit this incident to conduct social engineering and phishing attacks. The Cybersecurity & Infrastructure Security Agency (CISA) has reported observing threat actors targeting organizations through phishing and other malicious activities, capitalizing on the ongoing issues. CISA recommends that organizations stay alert and adhere to instructions from verified sources.

CrowdStrike advises firms to communicate through its Support Portal or other official channels for assistance and updates.

Action Items for Member Firms

• Ensure that any IT service vendors you work with are aware of this disruption and are taking appropriate measures.

• Be extra cautious of potential phishing or social engineering attempts that might leverage the current situation.

• Any critical system or business operations issues should be reported to your Risk Monitoring Analyst at FINRA.

• Follow guidance from official sources and avoid relying on unofficial information.

Conclusion

It’s important to note that this alert does not introduce new legal or regulatory requirements or reinterpret existing ones. It does not exempt members from their current obligations under federal securities laws and regulations. Instead, it serves as a reminder to consider these developments when reviewing or updating your cybersecurity practices in alignment with regulatory requirements.

For any questions or concerns related to this alert or other cybersecurity matters, please reach out directly to Braeden Anderson at braeden@andersonlaws.com

* * *

Attorney Advertising—Anderson P.C. is a U.S. law firm located at 1717 K Street NW, Suite 900, Washington, D.C. 20006.

Anderson P.C. provides this information as a service to clients, prospective clients, and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers. If you have any questions, please contact Braeden Anderson.