Cyber security and beyond: firms' approach to operational resilience
Cyber security is a topic that is receiving a good deal of attention and many financial institutions are aware of the need to mitigate the risks associated with various kinds of cyber-attacks, from data breaches to ransomware. However, publications recently issued by UK regulators and the Financial Conduct Authority's (FCA's) enforcement action against Tesco Personal Finance all suggest that institutions should be taking a broad approach to the risks associated with the digitisation of the financial services industry.
While cyber attacks are clearly a significant threat to institutions, regulators are beginning to focus more and more on firms' approach to operational resilience generally, ground which covers not just cyber security but other issues such as IT glitches, dependencies on digital service providers and exposure to vulnerabilities in the financial markets infrastructure.
On October 31, the Prudential Regulation Authority (PRA) published an update to the document that sets out its approach to banking supervision.
For the first time in its six-year history, the document now contains a section on operational resilience. This reflects, in the PRA's words, "firms' increasing reliance on digital systems and platforms and the risk of cyber-attacks".
Underlining just how important it is to the PRA's objectives, Sam Woods, chief executive of the PRA, identified operational resilience as one of four "key areas" for the PRA, the others being: the ring-fencing of retail banking from global trading; the senior managers regime; and Brexit.
The PRA's approach document declares, persuasively, that "firms' operational resilience is the responsibility of their boards" and that "boards should ensure there is sufficient challenge to the executive and that they have access to people within the business with appropriate technical skills".
To many who advise firms on cyber security, this will not come as a surprise – the shift from focusing on technical, IT defences to board-driven governance is a familiar (if relatively recent) instruction.
But against this backdrop, a claim recently made by David Lidington MP, and de facto deputy to Prime Minister Theresa May, in a speech at the London Stock Exchange that "two thirds of FTSE 350 boards say that they have had no training in how to deal with a cyber incident" is all the more alarming.
Perhaps the issue is not whether boards should be engaged in cyber security (and, more broadly, operational resilience) but rather – what does appropriate board engagement look like? Good governance manifests itself in different ways depending on the individual organisation; there is no one size fits all.
But a discussion paper published jointly by the PRA, FCA and Bank of England provides an indication of what those regulators are likely to expect from boards and senior managers in the coming years.
The discussion paper trails the regulators' plans to achieve a "step change" in the operational resilience of firms and financial market infrastructures. To help accomplish this, the regulators propose that boards and senior management are engaged in a number of ways:
- Establishing their firm's own 'impact tolerances' which quantify the amount of disruption that would be acceptable in a given incident. For example, the maximum outage time for a particular business service.
- Taking investment decisions which are mapped to the impact tolerances and priorities that the board has set for the firm.
- Exercising sufficient oversight to ensure confidence that the board's strategy is being carried out. This requires an effective internal control framework for prioritisation, internal reporting and escalation.
- Having oversight of outsourced activities, such as cloud service providers.
- Understanding which providers of third party services (such as telecommunications) are critical to the continuous and adequate functioning of business services.
- Ensuring that the continuity of business services is at the forefront of the firm's approach to operational resilience, rather than focusing on the resilience of specific systems that the firm uses.
This last point is a theme that runs through the regulators' discussion paper. It reflects a presumption that every firm's systems are likely to suffer some sort of disruption. The key lies not in preventing the disruption from happening, but in making sure the business service (which the system supports) suffers minimal impact – or at least an impact that is within the agreed tolerance levels.
The regulators suggest that different business services are prioritised based on the potential to: threaten the firm's ongoing viability; cause harm to consumers and market participants; and/or undermine financial stability generally.
The proposals will build on last year's introduction of a senior manager function with responsibility for the internal operations and technology of a firm (including cyber security). However, the proposals are more than simply another next step in the regulators' efforts to improve the resilience of firms.
Depending on how they are implemented, the proposals could herald a very significant new aspect of the PRA and FCA's approach to supervision, and they will likely require a very considered analysis of firms' operational resilience.
The regulators are frank that they still have much work to do, notably in determining what impact tolerances they will consider appropriate; how they will review the impact tolerances that firms set for themselves; and how they will assess the "translation of impact tolerances into actual investment decisions". Where the regulators do not agree with a firm's impact tolerance assessment, they envisage asking the firm to revise it.
Another example of the broad approach being taken by UK regulators is the £16.4 million fine that the FCA imposed on Tesco Personal Finance in October. Tesco was the victim of a fraudulent attack by criminals who used an algorithm to generate debit card pan numbers that were the same as those belonging to genuine Tesco current account card holders.
No data was stolen from Tesco and none of Tesco's IT systems were hacked, nor were any of its perimeter defences penetrated. However, in its final notice, the FCA still categorised the incident as a "cyber attack", rather than a conventional electronic fraud.
It is noteworthy, in the context of the senior management discussion above, that Tesco's senior management was praised by the FCA for its response to the incident. The final notice describes the "immediate action" taken by senior management to stop the fraudulent transactions, to regularly update customers and the use of "significant resources to return customers to their previous financial position".
Senior management's co-operation during the FCA's investigation is specifically identified as a mitigating factor that the FCA considered when calculating the fine; Tesco was given a 30 percent discount for mitigation in total, which is unusually high.
The fine itself is another interesting aspect of this enforcement action. The FCA calculated its penalty by reference to the average aggregate bank account balances "at risk"; rather than by reference to the revenue generated by Tesco in this business area (which is the normal starting point in the FCA's Decision Procedure and Penalties manual).
The fine was very large, all the more so when you consider that Tesco would have had relatively low average aggregate bank account balances when compared to several other financial institutions that hold client money.
While firms are increasingly focused on 'IT' or 'cyber-security' (however defined), boards should be aware of the role they have in incident response and in the wider approach to operational resilience that is likely to characterise regulatory supervision in this area, potentially for years to come.
Originally published on 7 November 2018 in Thomson Reuters Accelus Regulatory Intelligence and reproduced with the kind permission of Thomson Reuters.