New rules mean finance organizations will have to ensure critical business functions continue to operate even during times of major disruption
Tom Richards, Head of Systems and Storage Practice, Northdoor plc
New FCA guidance has come into force which will require organizations in the financial sector to identify important areas of their business and ensure they can continue to operate during any disruption.
With the pandemic and cyberattacks becoming more sophisticated and numerous, the FCA seeks to ensure that organizations in the sector are as well prepared as possible. These guidelines began as a working document in 2018 and organizations now have until March 2025 to secure adherence.
Although there is a three-year onboarding process, companies should already have identified their important business services, set impact tolerances for maximum tolerant disruption, and performed mapping and testing at the level of sophistication necessary for the make.
Which financial sectors must adhere to the new rules and guidelines?
The FCA Operational Resilience Rules and Guidelines are a joint venture between the FCA, the Bank of England and the Prudential Regulation Authority (PRA) and as such much of the financial sector is covered, including:
- construction companies
- PRA Designated Investment Firms
- Recognized investment exchanges
- Expanded Scope Certification Scheme (SM&CR) Senior Managers and Firms
- Entities authorized and registered under the Payment Services Regulations 2017 or the Electronic Money Regulations 2011.
A handful of the largest financial organizations have worked alongside all three regulators to put this regulation in place and are therefore already ahead of the game. However, most other businesses will just start thinking about what they need to put in place.
What do organizations need to do and how much time do they have?
To ensure you are meeting these new guidelines, companies will need to review a wide range of activities related to governance, risk management and compliance. The key to success, however, lies in the discovery and classification of services, as well as the establishment of people, processes and technology.
The deadline for joining is March 2025, but incentives are in place for those who join earlier, as this will help build stability and confidence in the UK financial sector. Therefore, companies will need to quickly determine which critical systems serve customers and what the impact would be if they lost those systems or were unable to provide services to their customers.
They will need to determine the maximum outage they could experience without causing undue harm to the business. This will be a company-led conversation at the board level to determine which services they could go without and for how long. Financial services institutions will have to put in place measures to check that they never exceed the set threshold.
The past two years have shown why these milestones are so incredibly important. The impact of the pandemic itself as well as the resulting changes in the workplace have made the financial sector a more tempting target for cybercriminals. Ensuring that critical services can be maintained regardless of the crisis will help not only the business, but the industry as a whole.
Discovery, people and process to play a key role
FCA’s operational resilience is in many ways similar to GDPR, as discovery, people and processes will play a key role. The guidance is designed to help financial organizations ensure they are resilient for consumers, businesses and financial markets.
As we have seen over the past five years, cyberattacks against organizations in the financial sector not only have a huge impact on the specific business, but also on customers and the market at large. The objective of this guidance is to ensure that organizations implement resilient operating systems that can absorb shocks rather than aggravate them.
To achieve this, they must ensure that they are building their resilience in the right way. Organizations should think about how the whole architecture can be made more resilient with a mission statement that outlines this as a goal from which the organization then designs.
Initial Task Checklist
With so many companies likely to be late or not even have started initial processes, some key tasks need to be implemented urgently.
If you are one of these companies, you must immediately:
- Identify your important business services which, if disrupted, could cause intolerable harm to consumers of your business or threaten market integrity, threaten the viability of your business, or cause instability in the financial system.
- Set impact tolerances for the maximum tolerable disruption of these services.
- Perform mapping and testing at a level of sophistication needed to identify important business services, set impact tolerances, and identify vulnerabilities in your operational resilience.
- Conduct lessons learned exercises to identify, prioritize and invest in your ability to respond to and recover from disruptions as effectively as possible.
- Develop internal and external communication plans in the event of disruption of important business services.
- Prepare self-assessment documentation.
Like the introduction of many regulations, including the GDPR, the opt-in process can at first glance seem like a daunting task. Many turn to independent consultants to help them through processes, identify key functions and add layers of resilience to help ensure business continuity.
Far from being a daunting task, it should be seen as an opportunity. Cyberattacks will only become more numerous and more sophisticated in the months and years to come. Therefore, ensuring that you can continue to serve customers even during the greatest disruptions is not only good for business, it improves reputation with customers and potential customers and thwarts the growing threat from cybercriminals.