The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a joint discussion paper (DP) on an approach to improve the operational resilience of firms and financial market infrastructures (FMIs).
The document offers the concept of ‘impact tolerance’, to encourage companies ‘to assume operational disruptions will occur’.
In a foreword to the document, Andrew Bailey, chief executive of the Financial Conduct Authority; Jon Cunliffe, Deputy Governor, Financial Stability at the Bank of England; and Sam Woods, Deputy Governor, Prudential Regulation of the Bank of England and Chief Executive of the Prudential Regulation Authority, make the point that there is no international framework supporting the regulation of financial servicesโ operational resilience.
They say: “A resilient financial system is one that can absorb shocks rather than contribute to them. The financial sector needs an approach to operational risk management that includes preventative measures and the capabilities โ in terms of people, processes and organisational culture โ to adapt and recover when things go wrong. As recent high-profile disruptive events have shown, the speed and effectiveness of communications with the people most affected, including customers, is an important part of any firmโs or FMIโs overall response to an operational disruption.”
The paper envisages that boards and senior management can achieve better standards of operational resilience through increased focus on setting, monitoring and testing specific impact tolerances for key business services, which define the amount of disruption that could be tolerated. The challenges for operational resilience have become even more demanding given a hostile cyber-environment and large scale technological changes. As recent disruptive events illustrate, operational resilience is a vital part of protecting the UKโs financial system, institutions and consumers, the document argues.
An operational disruption such as one caused by a cyber-attack, failed outsourcing or technological change could impact financial stability by posing a risk to the supply of vital services on which the real economy depends, threaten the viability of individual firms and FMIs, and cause harm to consumers and other market participants in the financial system. This DP focuses on how the provision of these products and services can be maintained within reasonable tolerances regardless of the cause of disruption. It reinforces the need for firms and FMIs to develop and improve response capabilities so that any wider impact of disruptive events is contained. The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firmโs response.
Behind the approach are a number of important concepts, which include:
focusing on the continuity of the most important business services as an essential component of managing operational resilience
setting board-approved impact tolerances which quantify the level of disruption that could be tolerated
planning on the assumption that disruption will occur as well as seeking to prevent it
The approach to operational resilience set out in this DP is consistent with the Financial Protection Committee’s (FPC) recent plans to establish its tolerance for disruption to financial services from cyber incidents, with both focusing on continuity of business services. The supervisory authorities may expect some firms and FMIs to consider the FPCโs impact tolerance when they set their own tolerances.
The supervisory authorities are encouraging responses to questions posed in the DP from all types of firms and FMIs, trade associations, consumer bodies, individuals and businesses as users of financial services, and especially those harmed by disruptive events.
The discussion period ends on October 5.
Read the 48-page pdf DP 18/4:Building the UK financial sectorโs operational resilience at the Bank of England website.
Comments
Carl Davies, CEO of TmaxSoft UK says: โEven before we started to see IT disasters play out in the public domain, due to the level of risk involved in large scale migrations, many IT leaders and CIOs have been delaying implementing their digital transformation projects. And now, with the FCAโs and BoEโs warning, these anxieties are likely to be heightened further still. This move will discourage the financial sector from taking on the change programmes they need to survive. At this stage, many traditional financial services firms should be making the necessary steps to move away from the legacy technologies, such as mainframes, that hold them back.
โAlthough BoE and the FCAโs acknowledgement of risks involved in IT projects is important, companies can minimise the chances of disruption by taking the steps required. When it comes to moving away from mainframes, one of the riskiest tasks is altering programmes and applications, or re-writing code. Re-engineering systems can take years, which means that the scope for error is far-reaching. However, financial institutions have the option to re-host their mainframes, meaning that they can simply lift existing mainframe assets and shift them to new open platforms. Re-hosting is faster, less risky, and helps systems to operate in the exact same way, but many organisations still choose outdated strategies that put them at harm.
โAlthough there are risks involved in any transformative projects, both the FCA and BoE should inform firms that there is a light at the end of the tunnel. Organisations will be in a much stronger position once they have migrated to new systems, achieving the desired outcome and becoming a modern organisation that provides customers with personalised, seamless and uninterrupted services. Transformation does not have to be a dangerous journey. It is therefore imperative that any organisation that is considering a transformation project first identifies any gaps in their knowledge and works with the right partner to secure the smoothest transition possible.โ
James Hadley, CEO and Founder of Immersive Labs, said: “Preparing for an incident is a key to reduce the impact from either an accidental or deliberate act causing an outage. Organisations need to be proactive in their risk reduction encompassing hardware, software, services and most of their people. Ensuring organisations have the skills required when needed is key to providing confidence both internal and external stakeholders.โ”
And Dan Sloshberg, Director Product Marketing at Mimecast, says: โThis Bank of England discussion paper clearly highlights that banks and other financial services providers are responsible for continuity, both when running IT systems in-house and when outsourcing to cloud service providers. The growing dependence on operational IT services, from payment processing technologies to cloud email in Office 365, requires a risk-based approach to building cyber resilience. This response involves combining a defensive strategy with an ability to get back up and running quickly, with minimum disruption and zero data loss. This should be paired with alternative access routes to key systems like email so businesses can keep on running, even when the worst happens.
โWannaCry was a wakeup call and highlighted the disruptive power and scale cyber-attacks can have on our critical national infrastructure. Organisations can also learn from the new NIS Directive. This legislation clearly signals the move away from pure protection-based cybersecurity thinking. Robust business continuity strategies have never been more important to ensure organisations can continue to operate during an attack and get back up on their feet quickly afterwards.
โNow we just need to see the Bank of England clarify which services are integral to continuity. Should all elements be considered, and the impact of downtime be properly assessed, we would expect key communications systems like email to be explicitly mentioned in their guidance.โ
