New FCA Operational Resilience rules come into force this week

Ensuring the UK financial sector is operationally resilient for consumers, firms and financial markets

The new FCA Operational Resilience Rules and Guidance come into force on 31^st March 2022, with a three-year onboarding requirement to meet this new regulation.  This means that any organisations in scope will need to set a threshold for acceptable downtime for their critical services and have the capability in place to effectively recover from a cyberattack or other incident within this downtime window.

The Guidance states that, by 31st March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerant disruption, and carried out mapping and testing to a level of sophistication necessary to do so.

Who must comply to the Operational Resilience regulation?

The Operational Resilience regulation has been compiled as a joint venture between the FCA, Bank of England and Prudential Regulation Authority (PRA) and targets firms in the following sectors;

• Banks
• Building societies
• PRA-designated investment firms
• Insurers
• Recognised Investment Exchanges
• Enhanced scope Senior Managers & Certification Regime (SM&CR) firms
• Entities authorised and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011.

Similar in nature to GDPR

For those less familiar, planning for FCA’s Operational Resilience requirement is similar in nature to GDPR, where discovery, people and processes will play a key role.  However, with the Operational Resilience bill, focus is around ensuring the UK financial sector is operationally resilient for consumers, firms and financial markets. It states that an operationally resilient financial system is one that can absorb shocks rather than compound them. Operational disruptions and the unavailability of important business services have the potential to cause wide-reaching harm to consumers and could cause risk to market integrity, threaten the viability of firms, and cause instability in the financial system.

Achieving a mature and robust operational resiliency programme requires a broad, integrated range of activities connected to governance, risk management and compliance.  But at its heart, this is about service discovery and classification, as well as making sure the organisation has the people, processes and technology in place.  As with GDPR, there is not an IT solution to this regulation but once financial services organisations have set a threshold of impact tolerance, there is of course a role for technology to play.

A three-year window to implement

This is a brand-new regulation which started in 2018 as a discussion paper and is due to go live in its final format at the end of this month.  As mentioned above, businesses will have three years to implement it, with a deadline of the end of March 2025, but they are incentivised to implement it as soon as possible to build stability and consumer trust in the UK financial sector.  Therefore, businesses will have to work out what their critical systems are that serve their clients and what impact there would be if they lost these systems, or they couldn’t deliver services to their customers. They will need to determine the maximum outage that they could suffer without causing undue harm to the business.  This will be a business-led conversation at the board level to establish what services they could run without and for how long.  Financial services institutions will need to put measures in place to check that they never go beyond the threshold set.

The disruption caused by COVID-19 has shown why it is critically important for firms to understand the important business services they provide, and to invest in their resilience to protect themselves, consumers, and markets. The distributed workforce has also accelerated the rise in ransomware attacks, as malicious actors quickly took advantage of the increased number of attack vectors, as new digital systems required multiple access points for customers, partners, and employees, creating a vastly expanded attack surface.  As a result, cybercrime has escalated, and a record-breaking number of cyberattacks of increasing severity are taking place year-on-year.  In fact, in the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency.

What do organisations need to do?

So, with this deadline looming, have organisations identified the impact tolerance for their important business services as set out by the FCA’s Operational Resilience regulation?

Q: Do they have the technology and processes in place today to achieve these?

A: The FCA, Bank of England and Prudential Regulation Authority have been heavily involved in putting this regulation in place along with a handful of the bigger financial organisations who are already ahead of the game, but there are many who are almost starting from scratch.

If you’re one of these firms, by 31 March 2022 you will need to have:

• Identify your important business services that, if disrupted, could cause intolerable harm to consumers of your firm or risk to market integrity, threaten your firm’s viability or cause instability in the financial system.
• Set impact tolerances for the maximum tolerable disruption to these services.
• Carried out mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances, and identify any vulnerabilities in your operational resilience.
• Conducted lessons learnt exercises to identify, prioritise, and invest in your ability to respond and recover from disruptions as effectively as possible.
• Developed internal and external communications plans for when important business services are disrupted.
• Prepared self-assessment documentation.

Organisations need to ensure that they build resilience in right the way, considering how the whole architecture can be made more resilient with a mission statement that outlines this as a goal that the organisation subsequently designs back from this. Here at Northdoor, we have been engaging with several clients over the last year in supporting activities around the new Operational Resilience regulation. Our work starts with a gap analysis of the current technology and processes against a resilience target. Once the areas of concern are known, discussed and documented, we can bring our skills and experience in designing resilient architectures to bear to help clients put in place a technology framework that most efficiently addresses their cyber security needs.  If you would like to learn more about our assessment and architecture services, please do get in touch.

Contact us 

This insight was first published on northdoor.co.uk by Tom Richards on the 28th March 2022