UK Financial Regulators Cracking Down on Banks’ IT Failures | Tech Security
Financial regulators have ordered British banks and other financial services firms to provide a detailed plan for responding to IT outages and cyber-attacks.
The Bank of England (BoE) and the Financial Conduct Authority (FCA) published a joint discussion paper on Thursday, asking firms to report on their exposure to risk and incident response processes.
Firms have been given an October 5 deadline to provide their emergency back-up plans.
The discussion paper stresses the importance of operational resilience given today’s “hostile cyber-environment and large scale technological changes.”
“A resilient financial system is one that can absorb shocks rather than contribute to them,” said the BoE and FCA in a joint statement.
“The financial sector needs an approach to operational risk management that includes preventative measures and the capabilities – in terms of people, processes and organisational culture – to adapt and recover when things go wrong,” they said.
The paper also highlights the role of firms’ senior officials when responding to incidents, recommending setting “board-approved impact tolerances quantifying the level of disruption that could be tolerated.”
Regulators suggested two days as an acceptable limit for disruption to a business service, according to one scenario detailed in the discussion paper.
“Operational disruption can impact financial stability, threaten the viability of individual firms and financial market infrastructures, or cause harm to consumers and other market participants in the financial system,” states the paper.
Another important concept that regulators advised financial firms to address involves an effective communication plan.
“The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response,” the discussion paper noted.
Firms that fail to demonstrate adequate back-up plans could face fines and other sanctions, such as a requirement for higher capital levels or demanding additional IT investment.