- Security TWENTY
- Women in Security
Could and should banks be doing to collectively build the cyber and operational resilience of the UK finance sector? So asked Nick Strange, Director, Supervisory Risk Specialists at the Bank of England in a speech in London.
He spoke of ‘operational resilience’ as the outcome we are seeking ‘and to do that we must manage operational risk effectively’. He said that the Bank does not expect firms to able to withstand the most extreme forms of disruption – ‘that would be inefficient and make the cost of providing critical business services prohibitive. And secondly we recognise that disruption will happen and it is unrealistic to expect that in today’s complex and connected world that we should have a zero tolerance for disruption’.
A discussion paper on operational resilience was published in July 2018 by the Bank, and the UK regulators the PRA and the FCA. The Bank’s premise is that ‘operational disruptions will happen and robust, well-tested response and recovery plans will be key to maintaining your important business services’. Later this year the Bank will set out proposed policies and explain its approach to supervising operational resilience. Also the Bank will test an impact tolerance for payments in a hypothetical
scenario where firms’ IT systems supporting their payments function become unavailable.
“A possible (and I only say possible) outcome of the cyber stress testing we are piloting may be that on their own, firms cannot meet the FPC’s proposed tolerance for payments systems outage. If this were the case then it would either fall to the public or private sector to come up with a collective solution.”
He concluded: “As operational risk managers you will no doubt continue to try to reduce the probability of a disruptive event occurring, but it’s unrealistic to think disruption can be prevented entirely. A zero tolerance for disruption, however desirable, isn’t practical, so you should consider how much disruption your firms are prepared to tolerate from a consumer, business and financial stability perspective. Then you can work to ensure that you have robust response capabilities and can recover your most important business services within the tolerances you set. Focusing on recovering business services, not just IT systems, may help you to deliver more innovative solutions. Thinking of operational resilience as the outcome we are seeking, and operational risk management as the means by which this is achieved gives a clear focus for investment in both. This renewed interest in operational risk and resilience, suggests to me that there’s never been a better time to be an operational risk
For the full speech visit the Bank of England website. All speeches are online at www.bankofengland.co.uk/publications/Pages/speeches/default.aspx.
Sarah Armstrong-Smith, Head of Continuity and Resilience at Fujitsu UK and Ireland described the Bank of England’s call for a collective effort to tackle cyberthreats as a step in the right direction. “With the number of threats continuing to increase exponentially, customer trust has never been so valuable or hard to come by and as such it has never been more important for businesses to test and ensure they are protected appropriately. A fifth of the public believe that cybercrime is the biggest challenge facing the UK today, and there are certainly some lessons UK firms can learn from the American initiative ‘Sheltered Harbour’ to vault and protect customer data in the event of a cyber attack.
“A collective solution to cybersecurity threats can help to enhance the operational resilience of the financial sector, and in turn, better protect customers and their data. With digital continuing to pave the way in financial services, the industry can no longer afford for it not to be the number one priority. Banks need to be able to identify, react and defend against a breach quickly, which includes stress-testing a range of scenarios, in collaboration with multiple stakeholders.”