UK banks and other financial services firms are to face tougher regulatory requirements around cyber resilience, including the need to set tolerances and demonstrate plans for dealing with major IT outages.
The move reflects increasing calls by regulators for better preparedness and reporting of cyber incidents with the growing dependence on technology. Earlier this year the UK’s Financial Conduct Authority (FCA) called for prompt reporting of cyber-attacks, as well as making statistics on major operational and security cyber incidents public.
In July, UK regulators set out their thinking on cyber related operational resilience in Discussion Paper (DP01/18). The paper, published jointly by the Bank of England (BoE), the Prudential Regulation Authority (PRA) and FCA, proposes new regulatory requirements aimed at making the country’s banks, insurers and asset managers more resilient to technology related service disruption; such as a major IT outage, an outsourcing failure or a major cyber-attack.
The focus on operational resilience comes after a string of outages in the financial services sector this year. In May, customers at TSB suffered almost a month of disruption, following a problematic IT upgrade, while Visa’s payment system suffered a partial service outage. In July, Lloyd’s Bank experienced problems with its fast payment system.
Speaking at a recent conference, PRA Deputy CEO Lyndon Nelson said operational resilience is now one of the most important issues for financial services. Nelson said there has been an increase in the number of operational incidents, caused by either internal failures or from external attack. As a result, regulators must set out clear expectations of firms in respect of their operational resilience, he said.
UK regulators are already focused on the threat posed by cyber, but the discussion paper marks a gear change with regards to business continuity and the sector’s increasing reliance on technology. It sets out regulatory thinking around ensuring continuity of services following a cyber incident and invites firms and international regulators to join the debate.
The paper places emphasis on prioritising the provision of business services, rather than on systems and processes. According to the paper, banks and other financial services providers should plan for the continuity of services regardless of the cause of disruption. Boards should “assume that some (or all) supporting systems and processes will fail” and “increase the focus on back-up plans, responses and recovery options”.
Regulators suggest that firms focus on business services that, if disrupted, could lead to significant loss of customers, major financial loss or reputational damage. Examples might include: disruptions to the services that allow customers to transfer funds between accounts; the bank being unable to extend commercial finance; or an insurance company not able to fund and hedge its balance sheet.
The focus on business continuity has important implications for financial services companies that face competitive pressures to upgrade their ageing IT systems and adopt new technologies. The discussion paper says that firms will in future need to prioritise continuity of business services when planning upgrades to their IT systems.
PLANNING, TESTING AND REPORTING
According to the paper, regulators will expect firms to increase their operational resilience, particularly in response to evolving threats like cyber-attacks. It emphasises the need for financial services firms to identify vulnerabilities, plan for disruption and test their business continuity plans. They will then be required to demonstrate to the regulator that appropriate plans are in place.
The discussion paper also places emphasis on the role of the board and senior management in ensuring operational resilience for cyber. In his speech Nelson says that BoE will expect firms’ boards to play a key role in setting cyber resilience strategies, including; promoting the development of management information, overseeing resilience programmes and investments in technology, systems and people.
The paper states that regulators will seek assurance that firms have the capabilities to deliver operational resilience. While demonstrating that their practices, processes and culture allow them to adapt and respond to operational disruption. There are a number of ways in which regulators are likely to seek assurances, including increased use of questionnaires to assess operational resilience – for example, a capabilities assessment questionnaire could be derived from the existing National Cyber Security Centre (NCSC) Cyber Assessment Framework.
Under the proposals, the BoE’s Financial Policy Committee (FPC) is to set tolerances for periods of disruption to the delivery of vital services - the PRA also intends to run a sector-wide exercise to assess the industry’s ability to respond to major cyber disruption. The boards of financial services companies will also be required to set their own tolerances for key business services, and justify them in an impact tolerance statement.
The supervisory authorities consider that setting impact tolerances could play an important role in increasing the operational resilience of firms. It suggests that tolerances should be used to take decisions on investments, risk management, business continuity planning and corporate structure.
With growing reliance on technology and outsourcing, international regulators are increasingly turning their attention to the ability of banks and other financial services firms to withstand disruption and maintain their critical services.
The UK regulator sees cyber and operational resilience as an issue requiring cross-border coordination. The discussion paper notes that there is not currently an international framework supporting the regulation of financial services’ operational resilience, but given the global and interconnected nature of financial activity, international engagement is “critically important”.
The PRA says that it is working through the Basel Committee, the Group of Seven (G7), the Organization of Securities Commissions (IOSCO), the Financial Stability Board (FSB) and other international bodies to push for increased international coordination in this area. The Basel Committee, for example, said in June that it is working on plans related to cyber risk and operational resilience that could result in new measures to enhance banks’ operational resilience.