In the months to come, UK information communications and technology (ICT) experts may find an increasing number of financial services (FS) firms (e.g. banks, insurers and asset managers) or financial market infrastructures (FMIs) (e.g. clearing houses) approach them for assistance. It may be to assess their ability to ward off a possible cyber threat or recover from a cyber incident. In may even extend to providing an opinion on the resilience of their IT capabilities in relation to some aspect of their operations.
No matter, before accepting such an assignment, it might be helpful to understand the wider context for these requests. While Covid19 and the activities of the SolarWinds hackers have helped to highlight the need for FS firms and FMIs to be operationally resilience across all areas of their business, UK regulators (BOE, PRA and FCA) have been at the forefront of developing new rules that will require UK FS firms and FMIs to develop their operational resilience frameworks (ORF) within 1-year of the final rules being published. The publication of the final rules has been delayed by Covid-19, but they are expected in Q1 2021 (or shortly thereafter).
FS Firms will be required to explicitly map and manage the activities and resources – people, processes, technology, facilities and information – that underpin the Important Business Services (IBSs) they offer to consumers. IBSs are not to be confused with business lines, so identifying IBSs at an appropriate level of granularity is a challenge in itself. Then, once these are defined, an impact tolerance must be set for each. The impact tolerance (first and foremost) sets a strict time limit on the duration of any disruption to a specified IBS; so, by corollary, any disruption exceeding the impact tolerance would be deemed intolerable to consumers. Thus a firm’s ability to respond and recover from a disruption will be key, as will its ability to communicate with consumers and other stakeholders throughout the disruption.
Although FS Firms are responsible for setting impact tolerance, firms must document their rational and supervisors will challenge them. Firms must avoid setting impact tolerances in accordance with what can be achieved today. Instead, they will need to set them in accordance with the promises they make to consumers receiving their services and the promises made to the BOE, PRA and FCA in exchange for their licence (most notably, in relation to consumer protection, market integrity and financial stability). As such, it will be essential for firms to understand where IBSs might be vulnerable, test their ability to remain within impact tolerance levels and address shortcomings with near term actions and longer term strategies.
The focus on IBSs therefore requires FS to look at risk horizontally through their operations, rather than in risk management vertical silos. As such, it will require cyber experts to work with teams that may include an array of specialists from various areas of the firm including, for example, client services or HR.
It is not just UK regulators who are seeking to promote operational resilience. In the US, regulators have side-stepped the introduction of new rules, with the issuance of inter-agency sound practices guidance on operational resilience based on existing rules and guidance.
Like the UK draft rules, the US guidance addresses business continuity and outsourcing; however, it emphasises cyber risk management with the inclusion of sound practices for cyber risk management. The US guidance has sent the financial services industry a clear signal of supervisory expectations, and early reports indicate that it is working. As noted in a recent article by Chris Kentouris, firms are finding that “it will take a village to figure out the weakest links in the chain of front, middle, and back-office functions and how to correct them…”
Similar work, with a focus on cyber risk management and outsourcing is also occurring in other jurisdictions. In the EU, further to the December 2018 ECB publication of its cyber resilient oversight expectations, in September 2020, the EU Commission proposed the Digital Operational Resilience Act (DORA). DORA has two parts. The first part applies to a wide set of financial services entities (including crypto asset providers) and includes: specific ICT risk management requirements, incident reporting provisions, scope for firms to share information on sharing, and contract requirements governing the management of third-party risks. The second part applies to “critical” technology providers (e.g. cloud computing services) and is a response to concentration risks arising from many financial services firms rely on a handful of technology providers. Under the proposal, one of the European Supervisory Authorities (ESAs) would be appointed as a Lead Overseer, for every critical third-party ICT provider, and have powers to monitor these providers as well as access to information necessary for their oversight.
The Monetary Authority of Singapore (MAS) has framed its approach to operational resilience in terms of its ongoing work on operational, technology and cyber risk. Notably, it established a Cyber Security Advisory Panel (CSAP) in 2017 and recently published MAS Guidelines on Risk Management Practices – Technology Risk.
So, the direction of travel is clear and other regulators will follow with their own proposals. Operational Resilience will be a major regulatory deliverable for boards and senior management teams around the world. Successful implementation of a firm’s operational resilience framework will have multiple dimensions and require input from areas such as business units, operations, IT, risk management, and BCP. Operational Resilience will also change how these areas operate as the new rules become ongoing requirements.
If you would like to find out more please feel free to contact Anita Millar and Palvinder Gill. We include – here – a link to our overview of the UK regime.
List of references (in order of appearance with supporting documents):
SolarWinds – https://www.wired.com/story/solarwinds-hacker-methods-copycats/
BOE information page – https://www.bankofengland.co.uk/paper/2019/operational-resilience-of-fmis
PRA information page – https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
FCA information page – https://www.fca.org.uk/firms/outsourcing-and-operational-resilience
US FDIC summary – https://www.fdic.gov/news/financial-institution-letters/2020/fil20103.html
US FDIC press release – Interagency Sound Practices to Strengthen Operational Resilience Explanatory Note – https://www.fdic.gov/news/press-releases/2020/pr20122b.pdf
US FDIC press release – Sound Practices to Strengthen Operational Resilience – https://www.fdic.gov/news/press-releases/2020/pr20122a.pdf
Chris Kentouris, FinOps Report (29 December 2020) – Operational Resilience 2021: The Human Factor – https://finopsinfo.com/regulations/risk/operational-reslience-2021-the-human-factor/
ECB – cyber resilience oversight expectations – https://www.ecb.europa.eu/press/pr/date/2018/html/ecb.pr181203_1.en.html
EU Commission proposed regulation for DORA – https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0595&from=EN
MAS Guidelines on Risk Management Practices – Technology Risk –https://www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines
BCBS consultation paper – Principles for Operational Resilience – https://www.bis.org/bcbs/publ/d509.pdf
Author Biographies
Anita Millar is a risk and public policy professional with over 20-years of experience working in the financial services sector. Her career spans risk management, audit, and consulting on regulatory change. She has held roles at ISDA, HSBC, Insight Investment, AFME, Northern Trust, and RBS. Her regulatory work spans cross-border regulation, Basel II (credit & operational risk), Basel III (capital & liquidity), MiFIR, EMIR, EU Banking Union and a proposed EU Financial Transaction Tax (FTT). She has also written research reports for City of London Corporation/TheCityUK and Invest Europe (previously EVCA). Contact Anita via – [email protected].
Palvinder Gill is a senior prudential and risk practitioner having held roles at Credit Suisse, Macquarie Group,mailto:[email protected] Morgan Stanley, Nomura and Wells Fargo. He has also worked as a policy maker at the Bank of England and FSA and as a regulatory consultant at EY. His regulatory and risk prudential capital and liquidity projects including Basel II, Basel III, ICAAPs, ILAAPs, Recovery Plans, FRTB, IFR/IFD, Pillar 3 Disclosures and TCFD Climate disclosures. Contact Palvinder via [email protected].
