U.K. Financial Services Institutions Outline Operational Resilience Guidelines To Address Cyber Attacks And IT Disruptions

Allison Kassir
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On July 5, 2018, the Bank of England (“BoE”) and the regulators the Prudential Regulation Authority (“PRA”) and the Financial Conduct Authority (“FCA”) published a joint discussion paper “to share the supervisory authorities’ thinking regarding operational resilience and obtain feedback.” The regulators and central bank encourage all affected stakeholders, including financial firms, financial market infrastructures (“FMIs”), consumers, and businesses, to provide feedback in response to questions posed in the paper. According to the discussion paper, responses will be used “to inform current supervisory activity and future policy-making.”  Responses are due October 5, 2018.

In discussing operational resilience, the BoE, PRA, and FCA state that “A resilient financial system is one that can absorb shocks rather than contribute to them.” The discussion paper recognizes that an operational disruption may be due to cyber-attack or an IT disruption, and the discussion paper notes that firms and FMIs should assume some level of operational disruption and focus on how best to ensure business continuity, rather than focusing narrowly on protecting systems and processes. The regulators and central bank encourage this thinking at the highest levels and note that “boards and senior management should assume that individual systems and processes that support business services will be disrupted, and increase the focus on back-up plans, responses and recovery options.” Senior management and boards of directors should evaluate what level of disruption could be tolerated, and for how long. Firms and FMIs could set and revise their impact tolerance levels by testing under “severe but plausible scenarios.” The regulators and central bank also stressed the importance of good communication, noting that the “speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response.”

The discussion paper notes that no stress-testing data exists for cyber events, so the BoE will work with independent experts, such as the National Cyber Security Centre, to test firms on meeting standards for impact tolerance. The BoE will also work with other regulators to determine the scope of stress testing.

The press release announcing the discussion paper can be found here, and the text of the discussion paper can be found here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide