Watchdogs push City to plan for failure amid ‘increasingly hostile’ cyber environment

The City’s watchdogs have banded together to push senior managers to plan for failure amid a surge in IT incidents.

The Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) today published a discussion paper inviting responses from firms and consumers as they prepare to shape future regulations across financial services providers.

The number of cyber security and operational incidents has risen significantly in recent years, ranging from hostile state-sponsored cyber attacks to high-profile outages such as recent incidents at TSB bank and payments firm Visa.

The regulators will push senior managers at banks and other financial services providers to take responsibility for operational resilience and to plan for failure, amid concerns that the City is placing too much emphasis on preventing attacks which will happen.

“The financial sector needs an approach to operational risk management that includes preventative measures and capabilities – in terms of people, processes and organisational culture – to adapt and recover when things go wrong,” said Sir Jon Cunliffe, Sam Woods and Andrew Bailey, bosses at the three regulators, in a foreword to the discussion paper.

The regulators suggest that firms should set themselves “impact tolerances” for the services they offer, such as mortgage lending, on the “assumption that disruption to the systems and processes supporting that service will occur”.

Rapid technological change and an increase in the number of hostile actors are behind the increasing number of incidents. Recent legislation such as the General Data Protection Regulation has also increased scrutiny on the impacts of data breaches.

Security services at the National Cyber Security Centre will be closely involved in the work, after previously highlighting publicly the role of attacks sponsored by the Russian state.

The watchdogs revealed they have an “Authorities Response Framework”, including the Treasury and the Bank of England, which meets to respond to cyber security or operational incidents, including TSB.

The new approach to resilience regulation, which will be shaped after the discussion paper’s response period closes on 5 October, will attempt to take in the effects of impacts affecting consumers only all the way up to financial stability – although no cyber incidents have yet threatened financial system stability.