Financial Conduct Authority  

IT failures reported by financial firms up 300%

IT failures reported by financial firms up 300%

There has been a 300 per cent year-on-year increase in the number of 'operational resilience breaks' reported to the Financial Conduct Authority, the regulator’s director of supervision has said.

Speaking at the FCA’s annual public meeting yesterday (July 17), Megan Butler said the number of incidents reported to the regulator had increased to 916 for the year 2018-19 from 229 the year before.

She added the regulator expected this to be an increasing trend, but more to do with a rise in the number of incidents being reported rather than the number of breaks themselves.

However, Ms Butler told the conference the reported incidents showed a change in the nature of breaks and the type of failures firms should be prepared for.

For instance, a substantial number of new reports were about technology failures, rather than cyber attacks, as well as management and responsibility issues.

She said: "An increasing proportion of operational resilience failings are based around technology and within that, we are seeing hardware and software failures becoming increasingly importance.

"This is not surprising given what we see in terms of the technology changes in the industry and the use of software within these firms."

Ms Butler told the meeting that other key issues revolved around change management problems — adapting to the speed and complexity of changing technology risk — as well as third parties contracted to perform certain duties.

She said: "This is consistent with what we see of firms' own views of where they see risk in this area.

"Firms call out problems relating to key assets in cyber security being complicated as well as managing change."

Key assets in cyber security typically include hardware such as servers and software such as support systems as well as confidential information and personal data.

She added that firms often told the FCA they struggled to know the risks associated with third party suppliers about what was safe to use in terms of cloud-based technology and who to monitor.

Ms Butler also told the meeting the industry should expect greater international coordination on operation resilience, saying it was an area where "the more regulation coordination the better" due to the number of firms who operated cross-border.

She said the FCA and other regulators were "very focused on operating in this area in a joined up way".

Operational resilience for financial services firms was a key part of the FCA’s 2019-20 business plan, which highlighted outsourcing, third parties and change management as vital issues affecting the industry.

In a recent Treasury select committee evidence session on IT failures in financial services firms (July 9), Marcus Scott, chief operating officer of TheCityUK, said governance, regulation and innovation were all vitally important to ensuring firms had adequate operational resilience.

The committee also discussed that disruption at a scale that threatens one or more financial services firms had moved from "likely" to "inevitable" in recent times.