UK regulators have given British financial firms a three-month deadline to demonstrate their operational resilience in the event of a cyber attack or IT breakdown.
The demand by the Bank of England and the Financial Conduct Authority for banks to report on their exposure to risk and contingency planning for disruptive outages comes on the heels of a disastrous IT upgrade at TSB and the recent black out of the Visa network.
In a joint statement, FCA chief Andrew Bailey and BoE deputy governor Jon Cunliffe, say: “Operational disruption can impact financial stability, threaten the viability of individual firms and financial market infrastructures, or cause harm to consumers and other market participants in the financial system.”
With banks having to adapt their legacy architecture to keep pace with nimble-footed fintech competitors, the operational risks of a significant IT breakdown are becoming increasingly apparent.
The watchdogs say that banks should have backup plans in place to enable full recovery withing two working days. This is in stark contrast to the ongoing crisis at TSB, which continues to dog the bank and its customers more than a month after a switch to a new IT platform went awry.
Motivating the approach are a number of important concepts, which include:
- focusing on the continuity of the most important business services as an essential component of managing operational resilience setting board-approved impact tolerances which quantify the level of disruption that could be tolerated
- planning on the assumption that disruption will occur as well as seeking to prevent it
- Penalties for those firms that fail to demonstrate adequate planning could result in a requirement for higher capital levels, sanctioning of executive leadership and a demand for more IT investment.
The discussion paper follows the publication of the bank of England's Financial Stability Report which last week, which set out plans to test banks' resilience to resist and recover from a cyber attack on their payments systems.