Operational Resilience: Don't forget Cyber Resilience!
The FCA published a cyber resilience questionnaire cross sector report in 2018 and its findings are still relevant today. The cross sector report highlighted that the following points were top of the agenda for many firms:
Concerns around cyber resilience
Improving information sharing
Challenges of managing third parties
In response to COVID-19, many firms switched to remote working and increased reliance on technology and third parties. A trend which is likely to remain in some shape or form. It’s crucial that cyber resilience is factored into a firm’s operational resilience framework and that the risks are clearly understood.
The FCA has highlighted in various documents that it considers technology to be both an area of innovation and risk, due to the speed with which technology develops. It continues to be an area that boards must understand to enable suitable risk management processes to be implemented. Ultimately, it is the board making key decisions regarding investment, consequently, it’s vital that they understand the risks posed by innovation.
What is cyber resilience?
Firms need to understand the fundamentals. When firms were told that they needed to have policies in place to deal with cyber security, some merely relabelled their Information security policies to become cyber security policies and left it at that. I guess that’s where the lack of understanding of the cyber issues raises its head.
The systems and controls in place to protect information from unauthorised access, disclosure, disruption and destruction. Breaches of these controls could lead to data theft. With information security, firms focus on controlling the confidentiality, integrity and availability of data.
Potential attacks via a network regardless of the target. Targets could include data, systems or the network itself. The cyber security landscape changes almost daily, there is no single group of threats. Recent data indicates that the material cyber incidents reported to the FCA in 2021 increased from 76 in 2020 to 116 in 2021.
Firms need to protect their critical information, detect attempts to breach their protective controls and respond quickly and effectively. As cyber attacks change, firms need to build effective systems enabling them to prepare for such events and aid speedy recovery.
In March 2022, PRA’s Charlotte Gerkin reminded insurers of risks posed by cyber attacks.
There was a reminder that COVID caused widespread disruption which demonstrates that firms need to invest in their resilience to provide greater protection to themselves and the wider infrastructure.
The reliance on third parties including technology requires greater oversight and continued awareness of risks posed by third parties. In addition, the PRA reminded firms that they remain responsible for managing their risks and third party risk management continues to be high on the regulatory agenda.
The FCA's operational resilience event in January 2022 reminded firms that cyber resilience should also be included as part of any operational resilience framework. Early observations from interaction with the industry indicated that firms were forgetting to include cyber resilience as a potential scenario and not factoring it into the stress testing activities.
When it comes to cyber resilience, there are some key actions to take, for example:
Review the basics. Experience tells us that some attacks could have been prevented by basic security measures such as ensuring patching is maintained
Ability to detect attacks and have a robust plan. To mitigate the risk of attack, firms need to agree their tolerance levels regarding any systems or data being unavailable
Be prepared. Having a contingency plan which includes a communications plan aids prompt escalation of any issues. Everyone knows exactly which steps to take and who needs to do what and when. This can be key when handling client queries and managing regulatory expectations.
As part of the overall operational resilience regime, we’ve now entered the transitional period ending on 31 March 2025. This current phase allows firms to test their ability to stay within their impact tolerances.
During this stage, firms should:
Review any breaches of the set impact tolerances
Identify any lessons learned
Share findings with third parties to improve processes
Maintain an audit trail of any changes or decisions that are made.
Ultimately, the escalation and governance processes will be key in helping to refine processes and direct investment where it is needed.
How Ruleguard can help you:
Ruleguard is an industry-leading software platform designed to help regulated firms manage the burden of evidencing and monitoring compliance. It has a range of tools to help firms fulfil their obligations across the UK, Europe and APAC regions.
Ruleguard allows firms to organise planning for extreme but plausible scenarios, model impact tolerances and identify investment gaps. It also helps firms to:
define service levels and tolerance thresholds for each service to define how much impact on customers and the market is acceptable in extreme but plausible scenarios
vary the resource parameters using our intuitive interface and see how these changes impact your service thresholds in the model
easily identify gaps for investment and automatically create a resilience self-assessment document for board review.
The scale of operational resilience compliance can seem daunting, but with Ruleguard's experience and technical design skills we’ll help you quickly have it under control.
Get in touch with the Ruleguard team to learn more on 020 3965 2166 or email@example.com
Ruleguard hosts regular events.
To register your interest or learn more, please click here.
Request a complimentary copy of our White Paper on Operational Resilience click here.
See our blog page for further articles or contact us via: firstname.lastname@example.org
Visit our website to find out more about how Ruleguard can help:
Contact the author
Head of Client Regulation| Ruleguard