Bank of England demands firms test "severe" operational resilience scenarios
"They will need to invest..."
The UK's banks have been given three years to improve their IT and operational resilience.
"It is likely that they [banks] will need to invest" the Bank of England (BoE) said.
"We expect [operational resilience] to become a major consideration in their investment programmes. Designing services to be resilient is often easier than reverse engineering resilience into fragile services."
The comments by Duncan Mackinnon, who leads supervisory risk at the central bank, came as the Bank, PRA, FCA, and HM Treasury are also working together to develop measures to manage the systemic risks posed by critical third parties (CTP) to UK financial institutions "including but not limited to cloud service providers".
See: Credit Suisse vows digital reform after dire year, reveals $3B IT spend
The regulatory parties plan to publish a joint Discussion Paper in 2022 to inform future regulatory proposals relating to CTPs, "particularly on technically complex areas such as resilience testing" he added.
Mackinnon's comments came after the BoE set out three new draft supervisory statements on April 14 that raised fresh concerns at the possibility of “systemic concentration risks” arising from the migration of financial market infrastructure (FMI) to the cloud in a new consultation that suggested a significantly more robust set of demands to ensure IT resilience is coming soon for financial services providers. The Bank called on boards in the draft new rules to “approve, regularly review, and implement a written third party risk management policy”.
This should span cybersecurity, operational resilience and data protection among other areas and firms have a “formalised contractual agreement to be in place for all outsourcing arrangements”.
Read this: Bank of England again eyes cloud “concentration risk”
Mackinnon, speaking at City & Financial 9th Annual Operational Resilience for Financial Institutions Summit, said: "Our initial supervisory engagement has also found many firms have utilised disaster recovery and business continuity testing to address operational resilience requirements. We see this as part of firms embedding operational resilience into the way they do business. But our priority as a regulator will always be to ensure that where other frameworks are leveraged, the expectations in each policy are still met in full. If existing testing does not provide a firm with an end-to-end view of the resilience of its important business services, more work will have to be done. And we expect the scenarios used in this testing to be sufficiently severe.
"There are many roads to resilience" he added.
"But where firms cannot remain within tolerance, it is likely that they will need to invest. For example:
- Firms may have to build substitutability into the way services are delivered. For example, they might build an additional data centre or facility, such that when failures occur, services can be transferred and delivered to the same standard by different means.
- Firms may need to review and adapt outsourcing arrangements, ensuring that if a third party supplier is disrupted, this does not lead to disruption of the service as a whole.
- Firms may need to re-architect or replace legacy systems which have remained critical to the delivery of services despite their obsolescence. We acknowledge these things are not easy. They will take time."
Financial regulators' new operational resilience policies, came into force on 31 March 2022. Banks have until March 2025 to comply. And Mackinnon's speech suggested the BOE is taking compliance exceptionally seriously: "The scenarios a firm uses should assume disruption has occurred. They should include data integrity scenarios and incorporate third party disruption; they should also consider factors beyond the firm’s control. Scenarios should consider the evolving risk environment, they should be challenging, and ask what might happen if back up arrangements do not function as anticipated. Scenarios will include cases where multiple parts of the organisation are disrupted simultaneously. Given that impact tolerances are set at the maximum level of disruption a firm can tolerate, firms will have to judge how close to that line they are comfortable to be through their testing..."