British banks, clearing houses, and payments systems have been asked by the UK’s Bank of England (BoE) and Financial Conduct Authority (FCA) to complete reports on their exposure to, and plans to manage, IT outages and cyberattacks by October 5.
“We are seeing an unprecedented amount of change from financial institutions who need to improve the operational efficiency, resilience and compliance of systems whilst also reducing the vast cost of running them,” said Nick Hammond, lead advisor for financial services at World Wide Technology, a technology solutions provider.
This follows a financial stability report by the Bank of England (BoE) which was published in June. The report stated that the Financial Policy Committee (FPC) was setting standards for how quickly critical financial companies must be able to restore vital services following a cyber attack. Working with the National Cyber Security Centre, the central bank would test firms ability to meet the FPC standards.
The regulation comes in the wake of high-profile cyberattacks and major technology glitches experienced by banks.
Hammond said: “We are seeing an unprecedented amount of change from financial institutions who need to improve the operational efficiency, resilience and compliance of systems whilst also reducing the vast cost of running them.
“Because of the way they have been put together over time, it can be very difficult for financial institutions to understand which parts of their systems are linked into and dependent on each other – and therefore what the domino effect will be if something goes wrong.”
According to the BoE report, to guide firms in their planning the FPC will establish its tolerance for the length of disruption to the delivery of vital services the financial system provides to the economy. The timeframe is called the FPC’s ‘impact tolerance’.
“The nature of the complex systems means that one wrong change can have a very severe effect, and because you are doing so many changes the likelihood of getting it wrong increases,” said Hammond.
According to a spokesperson at the BoE, there are certain steps the regulators will take to inform the approach. “We have proposed certain requirements on ensuring that firms are operationally resilient. That is a discussion paper that the three authorities have put together (the Financial Conduct Authority, the Bank of England, and the Prudential Regulation Authority) . The policy teams will take that away, assess the responses and then we will think about next steps.”
“This is quite different to what we normally do,” the spokesperson said. “This is a discussion paper, rather than saying we are definitely going to put this policy in place, we are consorting and you can tell us what you think about it. Here we are inviting the industry to comment, academics, trade bodies, everybody. We are going to think about running a pilot stress test for cyber for a number of sestemic institutions.
“We are not at this stage saying we want you to report how you are dealing with operational resilience in respect of the proposal outlined in that discussion, what we are saying is these are our proposals let us know what you think about them. We are think you need to be more provactive.
“Ultimately what we are saying is the envirnoment is changing. It’s more complex. There are different actors. Disruption can be caused by a number of factors. This is a big risk and we want you to think about how you manage it.”