It has emerged that thousands of Capital One customers have been faced with significant disruptions in the last two weeks following a multi-day outage linked to a third-party vendor.

The outage, attributed to a system failure at financial technology firm Fidelity Information Services (FIS), left customers unable to access online banking services and delayed direct-deposit paychecks, according to media reports.

In a statement on January 16, Capital One acknowledged the issue, citing a “technical problem” with FIS as the root cause. Three days later, the bank announced that full account functionality had been restored.

Capital One was not the only institution impacted by the outage, which affected multiple banks that rely on FIS’s systems.

According to FIS, the outage stemmed from a “local area power loss and hardware failure.” While the company did not provide additional details, cybersecurity experts have raised questions about the adequacy of FIS’s testing and backup measures.

“There should be testing done, and the right tools in place with backups,” said Randolph Barr, Chief Information Security Officer at Cequence Security. “It’s surprising that a power outage caused such a major disruption in their customers’ environments.”

For consumers, however, the identity of the vendor is irrelevant. Jason Rebholz, Vice President and Cyber Risk Officer at Travelers Insurance, emphasized that customers hold their banks accountable. “A Capital One consumer doesn’t know who FIS is, and they don’t care. At the end of the day, your customers will hold you accountable,” he said.

The fallout from the outage highlights a growing challenge for businesses that rely on third-party vendors.

In an interconnected marketplace where companies outsource critical operations, risks associated with outages and breaches are increasingly prevalent. According to SecurityScorecard, 98% of organizations have at least one third-party vendor in their supply chain that has been breached.

The outage also serves as a stark reminder of the need for businesses to evaluate and manage third-party risks effectively.

Experts recommend several strategies, including reviewing contracts, assessing vendors’ security protocols, and ensuring vendors can scale alongside business growth.

Service-level agreements (SLAs) play a crucial role in mitigating third-party risks, particularly for large enterprises like Capital One. “Big companies have more leverage to negotiate better terms, but smaller businesses may lack that flexibility,” Barr noted.

Regular assessments of third-party security and business continuity plans are also vital. “Start off by classifying your vendors based on their criticality to your business,” Rebholz suggested. “The bigger the impact a vendor outage would have, the more important it is to scrutinize their practices.”

Even with careful planning, outages are often unpredictable. “There are always edge cases that no reasonable person could foresee,” Rebholz said, stressing the importance of preparing for inevitable failures by diversifying supply chains and implementing robust incident response plans.

“A lot of cyber insurance policies are geared toward malicious events, like cyberattacks, and may not cover accidental outages,” explained Scott Kannry, CEO of cybersecurity firm Axio. By quantifying potential risks and financial losses, organizations can determine whether their coverage is sufficient.

 “We need to learn from these events and remind ourselves that it can happen to anyone,” Barr said. “The key is stepping up our game in assessing and managing vendor relationships.”

For Capital One customers and others affected, the incident underscores the critical importance of operational resilience in an era of growing digital dependence.