Cybersecurity concerns and privacy laws have come charging to the forefront of regulation in recent years.
This year will be the year that financial companies are held accountable for failing to ensure their businesses can withstand disruptive events that could impact the broader markets.
Like most other sectors, the financial services industry is being quickly transformed by digitalisation and technology innovation.
However, as companies become more reliant on technology, regulators are keeping a close watch on how they manage their cybersecurity and technology risk.
This has led to a new paradigm: operational resilience.
Operational resilience, as defined by the Bank of England, is “the ability of firms and the financial systems as a whole to absorb and adapt to shocks, rather than contribute to them”.
Building operational resilience requires a cross-business function approach and includes how a company mitigates the risks inherent in the systems and technology it uses, whether in-house or through a third-party vendor, as well as how it responds in the event of an actual incident.
Fitting with regulation
In the same way that balance sheet resilience has been a key focus of regulators since the 2008 financial crisis, operational resilience will be the key focus for the next decade.
The rapid acceleration of technological change in financial services, combined with the potential for inadequate cybersecurity and technology risk management, has made operational resilience a global regulatory priority.
Several regulators have recently laid out their expectations with respect to enhancing operational resilience in financial services, or have started consultations as a precursor to doing so.
The focus of recent statements and consultations from the likes of the Financial Conduct Authority and the US Securities and Exchange Commission has been to broadly encourage all financial services companies to adopt cybersecurity and operational resilience best practices.
Under the FCA’s recently implemented Senior Managers and Certification Regime, for example, senior managers are ultimately responsible for their company’s operational resilience.
Even though there are several different regulators, each building their own programmes to tackle the issue, there are several common areas that companies can concentrate on to build operational resilience. These include:
• Strategy and governance. Ensuring board understanding and sponsorship is key. Define your company’s strategy based on analysis and understanding of core business functions, together with the people, process, technology, and third-party dependencies that underpin them.
• Risk assessment and management. It is critical to encode the effective identification, analysis, evaluation and management of cybersecurity risks within your business strategy.
• Threats and vulnerabilities. Ensure that the company has a good handle on key threats and vulnerabilities such as staff awareness, third-party risk, access controls on remote access, and cloud-hosted systems. Penetration testing and vulnerability assessments will help identify issues requiring remediation.
• Incident response. It is highly likely that your company will suffer a breach at some point in time, so make sure the entire business is well prepared. It is critical to have in place a well-defined incident response plan/procedure and conduct regular simulation tests.