A couple of months ago, on 31st March, the financial sector in the UK had to abide by new operational resiliency regulations and guidance. Designed by the FCA (Financial Conduct Authority) and in partnership with the PRA (Prudential Regulation Authority) as well as the BoE (Bank of England), the aim is to improve and strengthen the operational resilience and business continuity services of financial firms.
As financial service firms work towards digital transformation, driven by the recent pandemic, there is an ongoing reliance on disaster recovery services that are cloud-based. In fact, the Disaster Recovery as a Service (DRaaS) market is predicted to grow globally by 39.5% in 2022.
So, what is the impact of the new operational resiliency regulations, and how can firms in the financial sector ensure they have robust business continuity services?
Why are business continuity services important?
The adoption of digital services has been gaining momentum over the past few years as the financial sector worked towards digital transformation, partly driven by the Covid-19 pandemic. But this has also driven the need to increasingly rely on technology, such as cloud services, and many firms are now outsourcing IT services. The result is the revelation that there is an ever-growing need to focus on operational resilience and business continuity.
During the pandemic, the demand for digital services from consumers grew significantly but so, too, did the number of potential cyber threats for financial firms. In addition, businesses were experiencing a higher level of disruption to their IT infrastructures as well as downtime, often brought about by a surge in the number of users wanting digital access to their accounts at any one time, which many latent systems were unable to cope with.
Not only does an extended period of outage cost money, but it also has an impact on reputation. Business continuity services ensure a business is able to respond to any interruptions quickly, maintain operational resiliency and get consumer services back online in as short a time as possible. In addition, firms are able to meet their regulatory and legal obligations and reduce overall risk to the business.
The new operational resiliency regulations for financial services
The financial services sector is considered a core business in today’s modern global world. Having to adopt new technologies as well as integrate them into a new way of working certainly brought its challenges, such as having to increase data storage capacity and security measures, as well as identify new risks to operational efficiency.
Therefore, it is considered that operational resiliency and business continuity in this sector is important for keeping the UK financially stable. The new regulatory requirements ask financial services firms to:
- Identify the important business services that should be interrupted for any internal or external reason; it would cause ‘intolerable levels of harm’ to customers as well as potentially risk the stability of the financial system and the operations of financial markets in the UK.
- Decide and set impact tolerance levels for ‘severe but plausible’ disruptions (those that could happen and cause severe problems) against each important business service, and whilst doing so, consider their obligations in accordance with the European Banking Authority (EBA) Guidelines on Information Communication Technology (ICT) and Security Risk Management.
- Conduct an audit, such as a mapping exercise, on a regular basis to continually identify and document the people, processes, facilities, technology and information required to deliver their important business services. They must also resolve any vulnerabilities or gaps that may result in the firm not being able to maintain its impact tolerances. Part of this exercise is to carry out and test specific scenarios, identify any weaknesses, take the necessary action to improve their resiliency and business continuity service and adopt ‘lessons learned’.
- Develop a communications strategy that addresses their internal and external communications to enable the firm to act swiftly and effectively when necessary, thereby reducing the impact caused by any operational disruptions to their important services. For example, how the firm informs and advises customers, and other stakeholders, of any issues as well as their means for gathering data on the cause, extent and impact of disruptive incidents. A firm’s obligations for reporting any disruptions to the FCA and the PRA must also be considered, as well as how they report to other organisations, if required, such as the National Cyber Security Centre, the Cyber Security Information Sharing Partnership, the Information Commissioner’s Office if there has been a breach and customers’ data is compromised, as well as Action Fraud if the disruption is criminally motivated.
The impact of third parties on business continuity services and operational resilience
Any business, particularly in the financial services sector, knows that disruption and/or outages may happen. The aim is to ensure that there is sufficient planning in place to ensure the firm is able to act swiftly in any matter. However, the disruption can be caused by third-party supplier issues.
It is paramount that any financial firm has a good understanding of the role their third-party suppliers have and, should their services be disrupted, the impact it will have on the firm’s important business services. The type of information they will need from their suppliers includes:
- Their peak times of business, including times of the day and year.
- Variations in volumes and value of transactions during certain disruption scenarios.
- Any functionality commitments will need to be clarified, and the resultant minimum requirement is to ensure the important business service maintains its impact tolerance level.
A comprehensive recovery and restoration of services plan must be agreed upon and in operation between all parties that consider all the aspects related to business continuity services. For example, how often and the scope of IT systems and infrastructure backups, including data centres, should be defined, and adhered to and the plans should be regularly tested against plausible scenarios, which the FCA determine should include:
- Deletion, manipulation or corruption of critical data.
- The unavailability of key people and/or facilities.
- The unavailability of third party services which are critical to the delivery of the firm’s important business services.
- The reduced provision or loss of the technology underpins the delivery of the firm’s important business service.
A vital factor in maintaining business continuity services and operational resiliency is to ensure plans and measures for assessing continuity are regularly reviewed, tested and updated from lessons learned.
If you are struggling with debt, are considering winding up a solvent company or declaring bankruptcy, contact Simple Liquidation for assistance. For more information on how our professional insolvency practitioners may be able to help your business, contact us today.