Capital One Outage Highlights Third-Party RiskCapital One Outage Highlights Third-Party Risk

Thousands of Capital One customers recently experienced the fallout of a multi-day outage. Customers could not access online banking services and faced delays in receiving direct-deposited paychecks, The New York Times reported.  

Capital One attributed the outage to “a technical issue with a third-party vendor,” according to a Jan. 16 post on X.  

The third-party vendor in question? Fidelity Information Services (FIS), a financial technology company. On Jan. 19, Capital One posted that all customer account functionality was restored.  

Capital One was one of several banks impacted by the FIS system outage.  

Whether via malicious actors executing ransomware attacks or unintentional mistakes, third-party outages can have widespread ripple effects. We can see that here with the FIS outage and thousands of banking customers. Last year, we saw impact on a global scale with the CrowdStrike and Microsoft outage.  

In a time when most companies rely on third parties to operate, this kind of risk isn’t going anywhere. What can enterprise leaders learn from the Capital One outage as they assess the ongoing third-party risk their organizations face? 

The Outage 

FIS attributed the outage to a “local area power loss and a hardware failure,” according to a company statement.  

Related:Top 5 Strategies for Cybersecurity Red Teaming

The company did not share more details regarding the nature of the outage, but it does raise questions about the testing and backups it has in place.  

“There should be testing done. There should be the right tools in place with backups,” Randolph Barr, CISO at Cequence Security, an API security company, tells information. “Surprising that there was a power outage that caused a disruption in their customers’ environments.” 

When an outage like this happens, who gets the blame depends on who you ask. FIS attributes the outage to power loss and hardware failure. Its customers are likely to place blame on FIS. For consumers, their relationship is with their bank.  

“A Capital One consumer … they don't know who FIS is and they don't care,” says Jason Rebholz, vice president, cyber risk officer at insurance company Travelers. “At the end of the day, your customers are going to hold you accountable. They don't care about the details.” 

Regardless of the ultimate cause of the outage, the impacted companies -- FIS, Capital One, and other impacted banks -- must manage the fallout.  

Evaluating Third-Party Relationships and Managing Risk  

The interconnected nature of business and the supply chain is unlikely to change anytime soon. If anything, it will continue to grow more complex as companies look for partners in AI and machine learning. That means the possibility of outages and breaches, related to third parties isn’t going anywhere either. Most organizations (98%) have a third party that has been breached in their supply chains, according to SecurityScorecard.  

Related:Trump Fires Cyber Safety Board Investigating Salt Typhoon Hackers

How can enterprise leaders evaluate their relationships with third-party vendors to better understand and manage that risk? 

The larger the company, typically, the more power it possesses to negotiate on these terms. “If I were to look at … small-, medium-sized companies, they don't have that much flexibility working with larger organizations. But when you're a large fintech company or banking company -- Capital One being a large one -- they have a lot more influence over the contracts and working closely with their vendors,” says Barr.  

Related:What Does Biden's New Executive Order Mean for Cybersecurity?

“Start off with classifying your vendors based on the criticality [to] your business,” says Rebholz. The bigger impact a vendor outage would have on your business, the more critical it is.  

Regularly conduct assessments of that vendor’s security and business continuity practices.  

Businesses can manage those third-party relationships and diversify their supply chains to create more fail-safes, but that doesn’t mean that outages or breaches won’t happen.  

“There are always these edge cases that pop up … no reasonable person [who] would assume that all of these things are going to happen together,” says Rebholz.  

When the perfect storm hits, whether it’s a power outage and hardware failure or something else, enterprise leaders need to be ready.  

“You still have a lot of work that you should be doing on your side to make sure you plan for the inevitable failure or security incident at your critical vendors,” Rebholz points out.  

Insurance can play an important role in that business continuity planning process. What kind of coverage does an enterprise have, and is it enough? 

The cyber insurance business is going strong; annual premiums are expected to hit approximately $23 billion by the end of 2026, according to S&P Global. But enterprise leaders need to examine the details of any policy they have or are thinking about buying. 

“A lot of cyber insurance policies are very much geared towards malicious events, cyberattacks that type of stuff, and don't cover the accidental,” Scott Kannry, CEO and cofounder of cybersecurity company Axio, points out.  

Risk quantification can help enterprise leaders determine the type of insurance coverage they need and the amount. What is the risk of a third-party vendor outage? How big is the potential financial loss? Does my policy cover third-party outages, accidental and caused by cyberattack?  

The FIS outage and its impact on Capital One and other customers is not the last incident of this nature the market will see.  

“We need to learn from a lot of these incidents, and we need to remind ourselves on a regular basis that this can happen to anybody,” says Barr. “Therefore, we need to make sure we step up our game in assessing these vendors.”