Operational resilience & enforcement.

No system built on software stacks is immune from simple through complex attacks, and attack vectors can be passive or active. All organisations are susceptible, especially those with financial or reputational professional brands to protect.

In 2023 approximately 226 UK law firms acknowledged sensitive data had been accessed or modified by hackers [solicitors journal, 19 February 2024]; undoubtedly the tip of the iceberg.

Firms are facing novel, unanticipated and more systemic risks from a new era of geopolitical volatility, the current economic climate and a renewed focus on the digitalisation of financial services following the Covid-19 pandemic.

These are unprecedented times and organisations are sailing in uncharted territory. With the regulatory lens firmly fixed on operational resilience, it is clear to see why new defence mechanisms and substantive step-changes are required. 

Recent history and a series of high-profile outages have demonstrated that, as well as causing business disruption, a lack of focus on operational resilience can cause wide-reaching harm to customer outcomes, threaten the viability of professional and financial firms and severely undermine market integrity.

The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) say that ensuring the UK financial sector is operationally resilient is important for consumers, firms and financial markets.

Efforts to establish operational resilience within high-value services businesses have often been haphazard or poorly co-ordinated. The complexity of managing operational resilience across important business services in scenarios that cover business as usual [BAU], as well as periods of change, is no easy feat.

Operational resilience requires the ability to prevent, quickly adapt, respond to, recover from and learn from operational disruptions, and so the key is to consider it in a holistic way. Examination, analysis and resolution is required to contemplate the interconnectedness between and alignment of operational risk, technology risk, third-party risk and financial resilience.

These elements cannot be considered in isolation, though this is too often the case. After all, sound operational risk management practices lead to resilience, and operational risk management covers various types of risk, including technology, third-party, data and business continuity risks.

Accountable executives and senior management sadly are often unaware of the unacceptably high levels of risk to which their institutions are exposed. Perhaps most importantly, many have failed to appreciate and mitigate multiple risks introduced through protracted supply chains, outsource providers and operations that extend across multiple physical or technology-logical jurisdictions.

For financial organisations the new operational resilience requirements now effective in the UK, this is no longer acceptable; and professional organisations have analogous responsibilities and compliance structures. All have reputational risks to factor in for an operational system ‘melt-down’. Senior managers will likely be held to account if they fall foul of them, at the very least on an operational level with system security and protection of privileged or confidential data. It might be expected that UK regulators will focus their attention on senior managers with responsibility for core infrastructure and operations, including oversight of outsourcing arrangements.

The PRA and FCA took enforcement action against a large bank at the end of last year relating for failings associated with an IT upgrade programme. This is a clear warning to sectors that operational resilience is not just a supervisory priority but also an enforcement priority for regulators, particularly in the event of a crystallised risk that adversely affects markets or customers.

The focus on operational resilience is a G7 commitment. It is therefore fair to say that the problem is a global one. In the EU, the Digital Operational Resilience Act (Dora) solves an important problem in that EU financial regulation had previously not kept up with the pace of technological advancement and the new categories of information communications technology (ICT) risk and cyber risk that this brings. 

Before Dora, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience. After Dora, they must also follow rules for the protection, detection, containment, recovery and repair of ICT-related incidents.

Dora explicitly refers to ICT risk and sets rules on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk monitoring. The regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial and professional systems.

Running in parallel to the Dora implementation, EU supervisory authorities, such as the European Central Bank, will continue to expand their capabilities in cyber and IT risk and carry out further targeted investigations into cyber resilience. This is a sobering thought and puts even greater pressure on organisations to build this knowledge among senior management, who will clearly be held to account.

In Europe and the UK, regulators will increasingly look at the sectoral resilience of financial services more broadly, particularly in relation to critical third parties (CTPs). For the first time, non-financial services providers who provide vital services to large parts of the financial system will be subject to regulatory oversight. This is widely expected to include the biggest cloud providers, and will expand to other infrastructure and data providers across financial and professional sectors.

One of the key issues will be in setting a standard for the resilience of CTPs which allows for international alignment. There are already concerns in this space, with the UK potentially focussing on the oversight of significant services, and the EU opting for a broader definition. The US is also playing catch-up.

A key risk for senior managers to understand is that the development of CTP oversight frameworks will not replace their responsibility to conduct third-party risk management or manage the operational resilience vulnerabilities associated with third-party exposures.

Recent market events, including the Covid-19 pandemic, various cyberattacks and enforcement cases, have shown why it is vital for firms to understand the services they provide and invest in their resilience. As we move further into an outcomes-based regulatory regime, where any poor customer outcomes or threats to market integrity will not be tolerated, it is anticipated that senior executives will be held to account for any failings in this regard.

Regulatory supervisors are set to be on the lookout for tangible evidence to demonstrate that senior executives and boards have been pivotal in constructing resilience.