- Concerns around cyber resilience
- Improving information sharing
- Challenges of managing third parties
In response to COVID-19, many firms switched to remote working and increased reliance on technology and third parties. A trend which is likely to remain in some shape or form. It’s crucial that cyber resilience is factored into a firm’s operational resilience framework and that the risks are clearly understood.
The FCA has highlighted in various documents that it considers technology to be both an area of innovation and risk, due to the speed with which technology develops. It continues to be an area that boards must understand to enable suitable risk management processes to be implemented. Ultimately, it is the board making key decisions regarding investment, consequently, it’s vital that they understand the risks posed by innovation.
What is cyber resilience?
Firms need to understand the fundamentals. When firms were told that they needed to have policies in place to deal with cyber security, some merely relabelled their Information security policies to become cyber security policies and left it at that. I guess that’s where the lack of understanding of the cyber issues raises its head.
Information security:
The systems and controls in place to protect information from unauthorised access, disclosure, disruption and destruction. Breaches of these controls could lead to data theft. With information security, firms focus on controlling the confidentiality, integrity and availability of data.
Cyber security:
Potential attacks via a network regardless of the target. Targets could include data, systems or the network itself. The cyber security landscape changes almost daily, there is no single group of threats. Recent data indicates that the material cyber incidents reported to the FCA in 2021 increased from 76 in 2020 to 116 in 2021.
Cyber resilience:
Firms need to protect their critical information, detect attempts to breach their protective controls and respond quickly and effectively. As cyber attacks change, firms need to build effective systems enabling them to prepare for such events and aid speedy recovery.
In March 2022, PRA’s Charlotte Gerkin reminded insurers of risks posed by cyber attacks.
Regulatory expectations:
The FCA's operational resilience event in January 2022 reminded firms that cyber resilience should also be included as part of any operational resilience framework. Early observations from interaction with the industry indicated that firms were forgetting to include cyber resilience as a potential scenario and not factoring it into the stress testing activities.
Next steps:
When it comes to cyber resilience, there are some key actions to take, for example:
- Review the basics. Experience tells us that some attacks could have been prevented by basic security measures such as ensuring patching is maintained
- Ability to detect attacks and have a robust plan. To mitigate the risk of attack, firms need to agree their tolerance levels regarding any systems or data being unavailable
- Be prepared. Having a contingency plan which includes a communications plan aids prompt escalation of any issues. Everyone knows exactly which steps to take and who needs to do what and when. This can be key when handling client queries and managing regulatory expectations.
As part of the overall operational resilience regime, we’ve now entered the transitional period ending on 31 March 2025. This current phase allows firms to test their ability to stay within their impact tolerances.
During this stage, firms should:
- Review any breaches of the set impact tolerances
- Identify any lessons learned
- Share findings with third parties to improve processes
- Maintain an audit trail of any changes or decisions that are made.
Ultimately, the escalation and governance processes will be key in helping to refine processes and direct investment where it is needed.
How Ruleguard can help you:
Ruleguard is an industry-leading software platform designed to help regulated firms manage the burden of evidencing and monitoring compliance. It has a range of tools to help firms fulfil their obligations across the UK, Europe and APAC regions.
Ruleguard allows firms to organise planning for extreme but plausible scenarios, model impact tolerances and identify investment gaps. It also helps firms to:
- define service levels and tolerance thresholds for each service to define how much impact on customers and the market is acceptable in extreme but plausible scenarios
- vary the resource parameters using our intuitive interface and see how these changes impact your service thresholds in the model
- easily identify gaps for investment and automatically create a resilience self-assessment document for board review.
The scale of operational resilience compliance can seem daunting, but with Ruleguard's experience and technical design skills we’ll help you quickly have it under control.
Get in touch with the Ruleguard team to learn more on 020 3965 2166 or hello@ruleguard.com
Webinars:
Ruleguard hosts regular events.
To register your interest or learn more, please click here.
White Papers:
Request a complimentary copy of our White Paper on Operational Resilience click here.
Further resources:
See our blog page for further articles or contact us via: hello@ruleguard.com
Visit our website to find out more about how Ruleguard can help:
Contact the author
Head of Client Regulation| Ruleguard