For the first time ever, a number of UK banks, financial services firms and other finance players have indicated that they consider risks associated with IT, such as external vendor issues and disruption of IT infrastructure, as their ‘number one’ risk.
It is one of the main findings in the Systemic Risk Survey, which is conducted on a biannual basis by the Bank of England, the central bank of the United Kingdom.
The research aims to quantify and track market participants’ views of risks to, and their confidence in, the stability of the UK financial system.
The survey is completed by executives responsible for firms’ risk management or treasury functions. Participants include UK banks and building societies, large foreign banks, asset managers, hedge funds, insurers, pension funds, large non-financial companies and central counterparties.
In its summary report, the bank wrote that “survey respondents remain confident in the stability of the UK financial system”, reporting a higher level of confidence than during the first half of this year.
Moreover, the perceived probability of a high-impact event affecting the UK financial system in both the short-term and medium-term has fallen further.
However, “for the first time in the survey, respondents cited risks associated with IT, for example external vendor issues and disruption of IT infrastructure, as their ‘number one’ risk,” the report stated.
In addition, geopolitical risk and cyber attack continue to be considered by a majority of respondents as the most challenging risks to manage, and the most likely to materialise.
Biggest risks
In what makes somewhat reassuring reading, most banks, building societies and other respondents judged that the likelihood of a high-impact event is lower than they indicated in the previous survey over the short term and medium term.
In fact, no respondents consider the likelihood of a high-impact event to be very high and less than one in five think the likelihood of a high-impact event is high, a drop of 8 per cent compared to the previous survey.
The participating banks and other finance firms were asked to list the five risks they thought would have the greatest impact on the UK financial system if they were to materialise.
Geopolitical risk topped the list, cited by 93% of respondents, an 8 percentage points jump since the previous survey, followed by cyber attacks (80%, +10 percentage points), risks associated with a UK economic downturn (45%, +1 percentage point), risks associated with an overseas/global economic downturn (33%, +19 percentage points) and, finally, climate risk (29%, -7 percentage points).
Most strikingly, there was a significant uptick in the share of respondents citing risks associated with IT, for example external vendor issues and disruption of IT infrastructure (11%, an increase of 9 percentage points), and for the first time in the survey, some cited it as their ‘number one’ risk (4%).
Digital focus
Although the Bank of England stressed the survey results not necessarily reflect the Bank’s position or strategy, there is no doubt the central banking body is increasingly focused on IT and digital infrastructure, with testing being paramount for all financial institutions in the UK.
In fact, a senior executive at the BoE recently warned that the operational resilience of the financial market infrastructure is crucial to UK financial stability and financial services firms should step up efforts ahead of new rules that come into force next year.
Sasha Mills, executive director at the Bank of England (BoE), said “testing the unlikely” should become common practice for financial services firms.
Ahead of the BoE’s new Operational Resilience Policy, which will take effect in March 2025, Mills outlined the key expectations for banks and other finance players in a speech at the London Institute of Banking and Finance.
The City insider explained to attendees that the policy is designed so “crucial bits of financial market infrastructure are able to respond to and recover from an extreme but plausible disruption scenario before the market or payments ecosystem it serves is destabilised.”
Mills went on to provide more detail about where the focus of such market infrastructure providers should be in terms of building this resilience.
“Confidence in financial services is critical to having a vibrant and prosperous economy,” she stated. “So when the underlying infrastructure fails, this confidence can be damaged, and this puts financial stability and growth at risk.”
“When we talk about firms being ‘operationally resilient’, we mean firms can prevent, respond to, recover from, and learn from these disruptions.”
Obviously, disruptions could come from a variety of places. Cyber-attacks are one of the most frequently cited risks to UK financial stability the Bank of England sees in its industry engagement, but Mills is also concerned about events like natural disasters or operational errors.
In recent years, the BoE put in place policies on Operational Resilience, and outsourcing and third-party risk management.
Operational Resilience Policy
Coming up with a standard for Operational Resilience is more complex “than simply asking firms to always run flawlessly, across all business areas,” Mills said.
“Firstly, it is impossible to prevent every disruption or disruptions of every conceivable kind. And secondly, some operations are more important than others.”
The first component of the BoE’s Operational Resilience policy asks financial firms to identify which business services are important to financial stability, or put another way, services which, if disrupted, could threaten financial stability.
“Then, we ask firms to say what level of disruption those important business services could experience before risking financial stability, and we call this an ‘impact tolerance’,” Mills continued.
“While expressing impact tolerances in terms of time is necessary to plan for continuity of an important business service, finance firms should consider if there are other metrics that could play a useful role,” she explained during her speech in London.
“Now, having processes and operations which meet this bar does not happen overnight, so we have given firms several years and a deadline of March 2025 to meet this required standard of resilience.”
Testing approach
One area that still requires significant work, as Mills put it, is the approach and method firms use to test disruption to important business services.
“How firms design the scenarios used to test their ability to respond to and recover from an incident, is critical to ensuring firm’s capabilities are adequate,” she said.
“For example, firms should be asking themselves the following questions: Are the scenarios extreme enough? How many scenarios are sufficient to ensure the risk has been looked at from several angles? Do the scenarios ‘think the unthinkable’?”
Mills said the BoE wants to see firms prevent incidents where they can, and it needs to know they know what to do when things do go wrong and ‘the worst’ does indeed happen.
“Mature scenario testing requires depth and consistency of approach across scenarios and the design needs to be really clear: the cause of the disruption, the scale of the disruption and the key risk factors and vulnerabilities that are being tested are clearly set out,” she said.
“Test the unlikely. Think the unthinkable. Yesterday’s ‘unlikely’ may be tomorrow’s reality, and finance firms need to consider this.””.
– Sasha Mills
“This is not an off the shelf set of scenarios,” she stressed.
“It is important that the scenarios chosen are indeed of an ‘extreme but plausible’ scale. What could these be? Well, loss of an important third-party provider, or a severe cyber-attack impacting multiple data centres at once could be a couple of examples.”
Testing for these kinds of scenarios helps ensure firms are “thoroughly testing their response and recovery capabilities,” Mills continued.
“It also means firms are challenging assumptions they may be making about the suitability of their response and recovery plans, especially over what will happen over longer timeframes or within heightened impact scenarios.”
Testing quality
Mills said that firms need to do further work to improve on the sophistication of their testing approaches, looking for testing methods in addition to tabletop and desktop exercises.
“Testing types and methods should be as realistic and sophisticated as possible, covering recovery of all critical systems, services, and data, whilst also of course ensuring the testing itself does not introduce any additional risk,” she warned.
Operational resilience testing should also consider the impact of disruption on the wider eco-system that the firms operate in, and firms should increase their efforts to involve critical third-parties and their participants within their testing, the BoE veteran told attendees.
“This could be through industry wide tests as well as tests designed and tailored by a finance firm or bank, to test impact and recovery actions, both for themselves and their participants and wider ecosystem.”
“Mature scenario testing requires depth and consistency of approach across scenarios and the design needs to be really clear.”
– Sasha Mills
Moreover, the BoE expects firms to prioritise their efforts on scenario testing over the next year so that they can identify vulnerabilities sufficiently early to remediate them before March 2025.
“We will be continuing to look over the coming year for robust remediation plans from financial firms, with appropriate funding and resources dedicated to address weaknesses found during testing.”
Mills added that “the speed at which vulnerabilities are remediated should reflect the potential impact to the financial sector that disruption, associated with that vulnerability, would cause.”
For Mills, it’s vital to “test the unlikely. Think the unthinkable. Yesterday’s ‘unlikely’ may be tomorrow’s reality, and finance firms need to consider this when deciding what scenarios are extreme but plausible.”
Data integrity
Apart from running more and better tests, firms should also need to consider how data integrity, or lack of, may impact time to recover – any recovered data that will be used in critical processes, once restored, needs to be checked to be accurate, complete, valid, and reliable, Mills noted.
“Obviously as supervisors we will probe how firms are thinking about these questions, this is not ‘one size fits all’,” she stressed.
Having identified the important business services and impact tolerances, the BoE expects firms to show they can meet those impact tolerances – that is to recover their services within tolerance – under a variety of “extreme but plausible disruption scenarios,” Mills noted.
Priorities
Apart from testing methods, less than a year out from the March 2025 deadline, there is still a lot of other work for financial services firms and the BoE, Mills continued.
“Over the past few years, the Bank has been engaging with firms to understand their progress towards meeting this regulatory deadline. We are encouraged by some progress that has been made, however there is still considerable work to be done for many financial firms,” she shared.
When thinking about how firms implement the Operational Resilience policy, Mills said the BoE considers the wider business model and company structure they operate within.
Whilst the March 2025 deadline represents a significant milestone, “it is also not the end of the story and should not be seen as a ‘one off’ event – after the deadline, firms will need to continue to monitor and improve their operational resilience as risks and technologies evolve,” she said.
Mills pointed out that “cyber threat actors who seek to harm the financial system will not stop developing their techniques, so firms need to remain vigilant to the changing threats they are exposed to.”
Emergence of new tech
Mills told attendees that the BoE thinks that firms need to make sure that they are both addressing known vulnerabilities and taking into account changing or increasing risks, for example from increasing digitalisation and the emergence of new technologies such as cloud services, artificial intelligence, or Distributed Ledger Technology (DLT).
“Whilst these emerging technologies can bring efficiencies and improved risk management, firms also need to be aware of and manage the risks when these technologies are introduced to their ecosystem, risks from either adoption of these technologies within their businesses or use by customers and suppliers.”
Moreover, “some technologies may also heighten threats from malicious actors – such as AI or quantum computing being leveraged to make cyber-attacks more powerful,” she said.
Expectations
Over the next year, as the March 2025 approaches, the BoE expect to see firms accelerating their efforts to ensure that they have “calibrated their tolerance for negative impacts on their important business services, and mapped the key people, processes, technology, facilities, and information needed to deliver these services,” Mills explained.
She added: “Firms should then be fully testing their ability to remain within impact tolerances for ‘extreme but plausible’ scenarios – ensuring that response plans and capabilities are robust, and where not, that strategic investment is being made.”
Mills called this “a key requirement” as she explained that “for the calibration of impact tolerances, we expect to see greater engagement than we have seen thus far between firms, their participants, and the wider market.”
She concluded by saying that “when designing impact tolerances, firms should ensure they are considering the impact of disruption to their services on the market they serve – recognising that, where an incident is not contained within a short period of time, this could cause contagion and additional risks to crystallise.”
NEXT WEEK IN SINGAPORE
REGISTRATION IS NOW OPEN FOR THE QA FINANCIAL FORUM SINGAPORE 2024
Test automation, data and software risk management in the era of AI
The QA Financial Forum launches in Singapore on November 6th, 2024, at the Tanglin club.
An invited audience of DevOps, testing and quality engineering leaders from financial firms will hear presentations from expert speakers.
Delegate places are free for employees of banks, insurance companies, capital market firms and trading venues.
QA FINANCIAL FORUM LONDON: RECAP
Last month, on September 11, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.
The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.
Please check our special post-conference flipbook by clicking here.
READ MORE
- Cognizant drags rival Infosys to court over trade secrets
- Testaify claims tool is ‘100x faster than seasoned QA architect’
- Fast-growing Newgen sets sights on banks in Middle East
- ABN Amro hires nCino and CBA for digital upgrade
- QAFF London: Lloyds’ Richard Bishop on the rise of ‘green software’
Become a QA Financial subscriber – for FREE
* Receive our weekly newsletter * Priority invitations to our Forum events
