"We expect greater engagement" Bank of England cracks whip over operational resilience

“Less than a year out from the March 2025 deadline… there is still considerable work to be done for many FMIs.”

"We expect greater engagement" Bank of England cracks whip over operational resilience

The Bank of England has warned financial market infrastructure (FMI) providers that there is “still considerable work to be done” to prove that they can recover from cybersecurity incidents or even extreme weather disruption, less than a year from a BoE operational resilience deadline. 

The central bank in 2021 finalised its operational resilience framework for financial services firms and financial market infrastructure entities (FMIs) – setting a 31 March 2025 deadline to provide detail on their impact tolerances, or how long business services could be “allowed” to fail for. 

By that date, firms should have “sound, effective, and comprehensive strategies, processes, and systems that enable them to address risks to their ability to [run] each important business service in the event of a severe but plausible disruption (or extreme disruption),” it added

See also: Banks need to do better on operational resilience: Basel

But this week the BoE’s financial market infrastructure chief, Sasha Mills, warned that “we expect to see FMIs accelerating their efforts to ensure that they have calibrated their tolerance for negative impacts on their important business services, and mapped the key people, processes, technology, facilities, and information needed to deliver these services… 

She added, in a speech given at the London Institute of Banking and Finance: “We expect to see greater engagement than we have seen thus far between FMIs, their participants, and the wider market.”

"Another area that still requires significant work is the approach and method FMIs use to test disruption to important business services. FMIs need to do further work to improve on the sophistication of their testing approaches. We'll be continuing to look over the coming year for robust remediation plans from FMIs, with appropriate funding and resources dedicated to address weaknesses found during testing,” she added.

Commenting on the speech, Dynatrace’s Martin Bradbury told The Stack: “There is often a temptation for FMIs to focus more of their effort to improve operational resilience on infrastructure monitoring, as they’re concerned about issues such as cloud outages or network slowdowns. 

“However, it is equally, if not more important to monitor and test the performance of applications [and] take an end-to-end approach to observability, spanning the entire technology stack. This can give them precise code level insights that reveal where their digital services need to be hardened to boost operational resiliency. It is also essential that FMIs routinely conduct automated tests of end user journeys, leveraging AI to dynamically understand the expected behaviours and detect anomalies early before they evolve into severe customer impacting incidents. 

Bradbury added: “Establishing automated tests of user experiences not only helps to identify whether services will remain within impact tolerances during critical incidents, but also helps FMIs to practice and perfect their recovery and response strategies. This helps them to not only remain compliant, but also retain a competitive edge by delivering seamless digital experiences.

See also: Europe's banks steel themselves for a tough ECB cyber resilence test after blistering criticism