The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have given financial services firms in the UK a three-month deadline to demonstrate operational resilience in the event of a cyber attack or IT breakdown.

The joint discussion paper on an approach to improve the operational resilience of firms and financial market infrastructures (FMIs) stated that boards and senior management can achieve better standards through increased focus on setting, monitoring and testing specific impact tolerances for key business services.

“The challenges for operational resilience have become even more demanding given a hostile cyber environment and large scale technological changes,” the paper read. “As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions and consumers.”

In the last few months there have been several high-profile failures. Most recently, challenger bank Monzo admitted a customer data breach, while Ticketmaster found that 40,000 customers’ personal information and credit card details were compromised.

The government questioned the bosses of Visa and TSB recently over their separate IT failures, the former due to a hardware failure and the latter down to bank re-platforming problems.

The paper reinforces the need for firms and FMIs to develop and improve response capabilities, so that any wider impact of disruptive events is contained. The speed and effectiveness of communication with the people and institutions most affected - in particular customers - should be at the forefront of every firm’s response, warned the regulators.

Motivating this approach are three important concepts:

• Focussing on the continuity of the most important business services as an essential component of managing operational resilience.
• Setting board-approved impact tolerances which quantify the level of disruption that could be tolerated.
• Planning on the assumption that disruption will occur as well as seeking to prevent it.

These are consistent with the Financial Policy Committee’s recent plans to establish its tolerance for disruption to financial services from cyber incidents, with both focussing on continuity of business services.

The regulators stated that organisations should have backup plans in place to enable full recovery within two working days. Penalties for those firms that fail to demonstrate adequate planning could result in a requirement for higher capital levels, sanctioning of executive leadership and a demand for more IT investment.

The discussion period ends on 5 October 2018, with regulators encouraging all types of firms and FMIs, trade associations, consumer bodies, individuals and businesses as users of financial services, to respond.

David Strachan, partner and head of Deloitte’s EMEA Centre for Regulatory Strategy, noted that some firms will already be doing elements of this work across their business, but not necessarily by design.

“Firms will need to skew their priorities for investment towards mitigating the overall impact of a disruption on their key business services,” he commented. “The more customers, the more primary current accounts, and the closer the disruption to end-of-day, the more important to regulators.”

Share Story: