In conjunction with the Bank of England and the Prudential Regulation Authority, the Financial Conduct Authority (FCA) has issued a discussion paper on the “operational resilience” of authorised firms.

In launching the paper, the FCA notes that:

“The challenges for operational resilience have become even more demanding given a hostile cyber-environment and large scale technological changes. As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions and consumers.”

It calls on senior management to have an “increased focus on setting, monitoring and testing specific impact tolerances for key business services.”

The paper classifies the challenges to building operational resilience into five categories:

  • Technological innovation – including advances in fintech, artificial intelligence, distributed ledger and crypto assets
  • Changing behaviours – such as a demand for instant access to financial services, faster transactions and advances in mobile technology
  • Keeping pace – where issues include skills gaps and obsolescence
  • The “challenging environment”, which encompasses the threat of cyberattacks and cost pressures
  • System complexity – including issues relating to use of third parties, cross-border dependencies and concentration risk

The paper suggests that firms should have the following arrangements in place:

  • A clear understanding of what their most important business services are
  • A comprehensive understanding of the systems and processes that support these business services
  • Knowledge of how the failure of any one of these systems or process could affect the provision of the business service
  • Tested business continuity plans that would enable them to continue business services when incidents occur, or at the very least to resume business services with minimal delay
  • Clearly identified plans for who is responsible for what in the event of a disruptive incident
  • Comprehensive external communication plans which will keep customers, other market participants and the supervisory authorities clearly informed in the event of an incident

An ‘incident’ here could mean a cyberattack, major data loss, fire, flood, theft, anything restricting access to the firm’s premises, and a number of other seriously disruptive events – indeed it could mean anything which prevents the firm from conducting business in the usual way. Firms of all sizes, across all business sectors, should ask themselves whether they have the above arrangements in place. The paper acknowledges that even the very smallest firms are likely to have important business services.

The paper contains an extract from the June 2018 Financial Stability Report issued by the Financial Policy Committee, the body responsible for identifying systemic risks within financial services. This extract emphasises:

“Firms have primary responsibility for their ability to resist and recover from cyber incidents. The supervisory authorities expect boards to take responsibility for the cyber resilience of their firms.”

In conclusion, the paper suggests there are four key elements for firms to consider:

  • Preparation – firms should identify and focus on the continuity of their most important business services
  • Recovery – firms should assume disruptions will occur and develop the capability to adapt their business processes and practices in the event of disruptions to ensure continuity of service provision
  • Communications – firms should have strategies for communicating with their internal and external stakeholders (staff, customers, suppliers, service providers, regulatory authorities etc.) in the event of any incident
  • Governance – as in so many other areas, senior management have the primary responsibility when it comes to ensuring operational resilience

Responses to the discussion paper are invited up to and including October 5 2018.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article