Seven actions to improve your cyber security and operational resilience
The travails of Travelex are a timely reminder of the importance of resilient operating systems and processes.
In December 2019 the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority published a series of consultation papers on operational resilience. Following on from a July 2018 discussion paper, these consultation papers will inform future regulatory policy for financial services companies in the UK.
The consultation period closes in early April 2020 and the regulators are expected to impose a relatively short implementation period with the new framework likely to be in effect by the middle of next year.
At that point firms are expected to have up to three years to identify their important business services, set appropriate impact tolerances and demonstrate they can meet them to the satisfaction of supervisors.
“Since the financial crisis, regulators have spent a lot of time addressing financial resilience,” says Rick Cudworth, partner with the resilience practice at Deloitte. “They are now shifting their focus to operational resilience amid concerns that financial services companies have not devoted sufficient attention to operational vulnerabilities.”
The regulatory consultation papers refer to the importance of corporate mindset and governance.
Action point 1:
Has your firm recognised that disruptions are inevitable and is there engagement and involvement with the process right up to board level?
Firms need to identify their important business services from the perspective of the potential impact of these services being unavailable and the resulting harm done to customers or other parties, the ongoing viability of the firm itself, and the potential for systemic failure across the wider financial services sector.
Organisations should deploy an operational resilience framework to structure their assessment across a number of different areas.
Action point 2:
Does your framework consider the resilience of your change processes and culture as well as obvious issues such as suppliers, premises and security?
Ruari Scullion, a consultant at management consultancy PEN suggests that there is an important balance for firms to strike between allowing a defined set of processes and activities time to bed in, and becoming set in their ways and not recognising that what was relevant six months ago may be less relevant now.
“Managing operational resilience should become an ongoing exercise for senior stakeholders,” he adds.
Action point 3:
Assessing resilience appetite and maturity should be a regular exercise with accountability ideally resting with the board. Operational resilience assessments should be reviewed at least every six months with key metrics reported to the accountable body monthly.
An enterprise-wide operational resilience framework and operating model enables firms to understand what services have the potential to cause the most harm if they were to be disrupted, explains Andrew Husband, partner and head of operational resilience KPMG UK.
“Firms can then set about making those services - and all the resources which support that service - more resilient,” he says. As fintechs scale up and become more systemic, clients need to have confidence that these outsourced service providers have the necessary controls in place.
Action point 4:
In addition to identifying their important business services, firms need to understand how these services are delivered.
“It is necessary to set quantitative metrics as well as qualitative considerations to determine tolerable levels of service disruption,” says Cudworth. “Where services are delivered through an outsourced partner, this partner needs to be capable of working within these parameters.”
For service providers that play an integral role in a firm’s critical service line, the firm should have a clear view on the provider’s business continuity plans and associated incident management service level agreements to resolve issues.
“This should be cross-checked with the firm’s tolerance of outages, taking into account that how the outsourced provider reports risks in its organisation may impact the service the firm provides,” adds Scullion.
Action point 5:
Firms need to maintain an up-to-date register of outsourcing relationships, distinguishing between those that are material and those that aren’t.
For any material outsourcing agreement, firms must be able to provide unrestricted access to information on the third party such as audits or information rights around premises or data.
“Additionally, the PRA is emphasising ‘pooled audits’- audits organised by groups of firms sharing one or more service provider and performed by representatives of the participating firms, or by specialists appointed on their behalf,” observes Husband.
Last September the Bank of England published the results of a simulation exercise designed to assess the financial sector’s resilience to cyber incidents. One of the key findings was that disparity in risk tolerance for suspending services could impact the functioning of the sector.
Action point 6:
When determining an 'acceptable' level of service disruption, your firm may find that it could experience a reasonable level of disruption without materially impacting your customers.
“Taking an example from the investment management industry, if payments for redemptions in a fund are not able to be made on settlement date this will impact customers to some extent but not so much that it could materially and substantially impact the reputation and viability of the investment manager,” adds Husband. “However, inability to pay out redemption proceeds from the fund for three days or inability to execute on subscriptions to the fund could have that effect.”
The Bank of England’s consultation paper provided a clear definition of what an impact tolerance is, as well as clarifying the difference between impact tolerance and risk appetite.
The guidance provided is that a risk appetite statement articulates the amount of risk a firm is willing to take in pursuit of its strategic objectives, whereas an impact tolerance assumes that a particular risk has already crystallised and articulates the maximum tolerable level of disruption for that risk.
“The regulator has been explicit in setting an expectation that all FCA regulated firms should use time as one of their impact tolerance metrics,” concludes Husband.
Action point 7:
For those firms that are regulated by the PRA, that body has suggested that other metrics such as value and volume can also be considered.
About the author
Paul Golden is a freelance journalist with over 20 years’ experience working for national and regional newspapers and specialist financial services titles.