Cyber attacks are trending upwards; according to one source, the number of attacks increased by 38% year-on-year in 2022 and this trend continued into 2023. Just in the first half of 2023, we have seen two significant attacks against companies providing important services to a range of regulated financial firms in the UK and internationally.
More recently, a cyber attack on a US-based clearing house also had broader impacts on the financial sector. These attacks have brought into sharp focus the operational resilience of financial services and highlight the sector’s increasingly complex dependencies on third parties supplying technology, and the importance of strong risk management through the supply chain.
Building operational resilience
Operational resilience is about ensuring that when they occur, disruptions do not affect the provision of vital financial services to the economy, jeopardise financial stability, or undermine the safety and soundness of firms. Strengthening the operational resilience of the financial sector is a key objective for the Bank of England (BoE), the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA). To achieve this outcome, banks, insurers and financial market infrastructure firms will need to invest in their ability to prevent, adapt, respond, recover and learn from disruptions. Firms will also need to put in place robust scenario testing frameworks to assess the effectiveness of these investments.
Scenario testing frameworks should consider the cause and impacts of a disruption, and have clear parameters for calibrating scenarios. The scenarios should be severe and cover a broad range of threats, such as malicious insider risk, a ransomware attack by a capable threat actor and the failure of a critical third party. Before and since the global financial crisis in 2008, regulators and industry have debated extensively the calibration of financial shocks to which firms should be resilient; a deeper dialogue on relevant scenarios and their severity is also needed for operational risk. That dialogue will need to evolve as risks emerge including due to artificial intelligence, quantum computing and shifting geopolitics.
Operational resilience is a property of individual firms and also of networks of firms, including financial infrastructure firms and third parties outside the regulated sector. We therefore need to test the resilience of these networks within the financial system as well as individual firms, and we need to understand what the impacts will be when a cyber attack succeeds, as well as seeking to reduce the chances of a successful attack.
Scenario testing is, therefore, a key pillar of the BoE and PRA’s broader strategy for building up the operational and cyber resilience of the UK financial sector as a whole. As part of the Financial Policy Committee’s (FPC) cyber framework, we have developed a cyber stress-testing tool that tests firms’ ability to meet the FPC’s impact tolerance — its expectation for how quickly firms must be able to complete critical payments — in a severe but plausible cyber scenario or any other operational disruption. We recently published the findings of our 2022 cyber stress test, which was designed to explore firms’ response and recovery options in a hypothetical data integrity scenario affecting retail payments.
We also test firms’ cyber resilience through the CBEST programme, which uses threat-led intelligence testing to mimic the actions of cyber attackers. We have recently published thematic findings from the 2023 CBEST cycle so that the wider industry can benefit from the lessons learned.
A robust third party regime
Financial firms increasingly rely on third-party providers of services such as shared virtual data storage and processing. While the adoption of cloud services presents many opportunities, there are also risks which financial firms need to manage effectively. The PRA’s approach to outsourcing is outcomes-focused and technology-neutral. We expect firms to make risk-based decisions and consider all available options to strengthen their resilience when relying on third-party services.
For example, firms should develop and test business continuity plans and exit strategies for outsourced services. A key principle is that firms’ boards and senior management remain fully accountable for their outsourcing arrangements.
The FPC has been monitoring the potential risks from the financial system’s increasing reliance on third parties, in particular the risk of concentration of key services in a small number of ‘critical’ third parties (CTPs). In recent years we have seen outages across a number of cloud service providers caused by physical damage and by logical/processing failures, which had material impacts on businesses.
A cyber attack or operational outage at a CTP could disrupt the provision of vital financial services to the economy and potentially affect market confidence more widely where many firms are relying on the same third party. In 2022, the BoE, PRA and FCA published our views on how to strengthen the resilience of services provided by CTPs, and the authorities have consulted on a proposed set of rules and expectations for CTPs.
In the EU, the US and other jurisdictions, financial regulators are working on similar challenges. Wherever possible, the UK will coordinate with our peer regulators internationally to achieve a broadly shared aim of enabling the financial system to innovate and grow, while managing the risks of new technologies. Given the international activities of many financial firms and of key technology suppliers, co-operation across borders will be key to achieving regulators’ objectives.
The UK financial authorities are active members of the G7 Cyber Expert Group, which supports information-sharing and coordination in response to incidents and shares views on cyber security policy and strategy across the G7. The BoE is also a key participant in international regulatory initiatives to strengthen operational resilience, such as the third-party risk management toolkit and the model for convergence in cyber incident reporting that the Financial Stability Board has published this year.
Strength through partnerships
Alongside international engagement, effective coordination across the UK financial authorities is key to minimising the impacts of operational incidents and cyber attacks on the wider system. Responsibility for responding to disruption sits with firms themselves, but when a significant part of the financial system is affected, the authorities have a crucial role in supporting response and recovery.
The BoE, FCA and the UK Treasury participate in the Authorities Response Framework (ARF) which helps ensure the authorities coordinate with each other and effectively communicate with regulated firms to respond to an operational disruption. If there is a cyber attack, the ARF will include the National Cyber Security Centre (NCSC) to support the response. Coordinating with the financial sector during an incident is one element of a broader public-private partnership that is needed to keep UK financial services resilient.
The Cross Market Operational Resilience Group (CMORG) brings together government, the financial regulators and the NCSC with UK financial firms to develop approaches to common operational resilience challenges, such as how to protect the integrity of a firm’s data, as well as tackle collective action problems, such as the issue of how firms decide whether and when to re-connect to a counterparty that is recovering from a cyber attack. CMORG held its inaugural conference in September this year and is key to ensuring financial firms of all types and sizes can enhance their resilience using the latest industry thinking.
Good risk management
The global financial crisis is now 15 years distant and the deep reforms that followed it have shown their worth during that time, perhaps especially in recent years as crises have roiled economies and societies across the globe. As we saw in 2023, once again banks will fail because of weak business models, poor governance and financial risk mismanagement.
Over the same period, the operational infrastructure of the financial system has changed dramatically and continues to at pace as new technologies emerge. Just as we must learn from the financial failures we must also learn from operational failures and cyber attacks. An open, efficient and dynamic financial sector is the right goal; we have a lot of work to do to build resilience collectively and remain vigilant in the changing risk environment.
Duncan Mackinnon is executive director for supervisory risk specialists at the Bank of England.
