Why a new standard of operational resilience is required for the UK Finance sector
In a heightened cyber threat landscape - where ransomware attacks are increasing in frequency and sophistication - and having weathered the challenges of COVID-19 and the resulting move to hybrid working, the Finance sector is still continually challenged to demonstrate to its customers that critical services will remain available no matter what, and that sensitive financial data will remain fully secure at all times.
In other words, organisations ranging from banks to insurers, investment firms, and building societies must be able to provide tangible evidence of their ability to recover and operate continuously from an outage, as part of their operational resilience.
What is operational resilience?
In simple terms, operational resilience is the ability for organisations to minimise the impact of any form of operational disruption - whether that is an 'act of God' or a deliberate cyber-attack. There are several elements to this, including identifying potential disruptions and acting to secure infrastructure against them, having effective disaster recovery processes in place, to minimise the impact, should a disruption occur, and - critically being able to learn from any incidents to ensure they do not reoccur. It is a critical aspect of maintaining customer confidence and ensuring compliance obligations have been met.
In March 2021, the FCA published formal guidelines regarding the standard of operational resilience financial firms must be able to demonstrate. These regulations came into force on 31st March 2022, which means all firms which these regulations apply to, must have conducted thorough mapping and testing of their infrastructure's impact tolerance and put measures in place to remedy any areas that fall below standard by 31st March 2025.
This has since extended to the Cloud providers who many in the Finance sector have already partnered with, as Bank of England's Prudential Regulation Authority (PRA) recently announced that all such providers will be subject to greater scrutiny going forward, in order to ensure they can demonstrate the standards of resilience, transparency, and compliance the sector demands, in order to mitigate the potential impact of any outage or successful cyber-attack.
Developing a more resilient infrastructure
The FCA guidelines provide an invaluable foundation and methodology for operational resilience in the Financial sector, it is important to bear in mind that this is just the first step.
Operational resilience is very much a journey rather than a one-off project, as the cyber threat landscape is evolving at a speed never seen before. Organisations that deal with any sort of highly sensitive data - financial data, in this case - must therefore assume that a cyber-attack will prove successful at some stage and plan accordingly.
This means putting measures in place to ensure that infrastructure can be restored, data secured, and a thorough analysis conducted to avoid similar incidents in the future - all of which should be reviewed on a regular basis and to ensure they remain fit for purpose.
There are multiple dimensions to this, including creating and securing backups of critical data, monitoring critical assets, providing staff with regular cyber security training, and maintaining full control of all data flows, ensuring corporate security policies are consistently applied at all times. There are both human and technical challenges involved here, as for all the advances in cyber security technology, human error remains the leading cause of data breaches. Comprehensive security policies, leading-edge technology, and regular testing must go hand-in-hand with employees who are fully aware of their individual security responsibilities and make current best practice a part of their daily routines.
In addition to acting on the FCA regulations at the earliest opportunity, we would also a strongly advise you to work closely with a cyber security specialist with proven experience in financial firms' singular security and compliance challenges, along with the latest threat intelligence, and a deep understanding of the sector's Cloud requirements, particularly in light of the recent PRA announcement.
If you would like to explore any of the challenges highlighted in this post in greater depth, and begin optimising your own firm's operational resilience, do not hesitate to contact us.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.