The Bank of England and the U.K. Financial Conduct and Prudential Regulation authorities will more closely examine the relationships between financial firms and IT outsourcers to determine how resilient the sector is to potential cyber threats, according to a discussion paper published July 5.
Banks, clearing houses and other financial firms in the U.K. will be expected to disclose their backup plans to regulators and develop them on the assumption that failures or cyber attacks will happen, the paper says, emphasizing that regardless of outsourcing arrangements, ultimate responsibility for failures lies with the top management of financial firms, which are governed by the Senior Managers Regime.
Alongside testing the systems used by contractors, firms will be expected to have definitive plans in place for potential attacks or breakdowns of varying intensities.
"[The paper] envisages that boards and senior management can achieve better standards of operational resilience through increased focus on setting, monitoring and testing specific impact tolerances for key business services, which define the amount of disruption that could be tolerated," the regulators said in an accompanying statement.
Furthermore, the paper makes clear that top management will be held responsible both for the failures of their outsourcers and the way they handle communication with affected customers.
"The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm's response," said the statement.
Although rules are already in place governing so-called operational resilience, the regulators said new demands may be forthcoming.
"The supervisory authorities are considering the extent to which they might supplement existing policies to improve the resilience of the system as a whole, and to increase the focus on this area within individual firms and FMIs [financial market infrastructures]. They are reviewing existing policies, including those on risk management, outsourcing, controls and communication and business continuity plans," they said.
Banks will be expected to be able to maintain services in the event of an attack, the paper said, noting that although "avoiding disruption to a particular system supporting a business service" is important, "ultimately it is the business service that needs to be resilient."
The U.K. has suffered increasingly frequent cyber attacks and IT failures in recent months, with both Visa and TSB Banking Group PLC experiencing systems breakdowns that affected millions of customers.
TSB's failure was caused by the collapse of a new IT system that the bank bought from an unregulated firm owned by its Spanish parent, Banco de Sabadell SA. As millions of clients lost access to their money, fraudsters swarmed around the bank, compounding the crisis. TSB CEO Paul Pester came under heavy criticism from regulators and members of Parliament, including calls to resign.
Pester has estimated the cost of the fallout at some £70 million, but The Times of London reported that including auxiliary costs such as rebuilding the system and compensating customers, the bill could reach as much as £1 billion.
The basic regulatory response framework for such emergencies includes staff from the FCA, Bank of England and Treasury, but it can be extended to include the National Crime Agency, the National Cyber Security Centre and even the Cobra national security committee headed by the prime minister, in case of criminal or state-driven attacks.
The response procedure has been triggered more frequently in 2018.
The paper is open for consultation through Oct. 5, after which the regulators will collect responses and launch policy proposals, with a view to influencing international standards in the field. They added that it is especially keen to hear from "those who have suffered harm from disruptive events."