The importance of operational resilience has been highlighted In a letter from Simon Walls [pictured], sell-side director at the Financial Conduct Authority (FCA), to the chief executives of wholesale banks active in the UK.
The FCA expects banks to maintain operational resilience to ensure the safety and soundness of markets, the letter said, as outlined in the FCA’s policy statement PS 21/3 titled: “Building Operational Resilience.” This policy requires banks to focus on the services they offer rather than just the systems they operate and depend on.
The letter highlighted that a significant point of concern for the FCA is the increasing reliance of UK financial services firms on third-party services. It said the FCA has observed instances where third-party systems were compromised by cyberattacks. While such breaches can disrupt services, they can also jeopardise the confidentiality of market-sensitive information, it said.
And if a third party serves multiple firms, the impact of a breach can become systemic. The FCA holds firms accountable for their operational resilience, regardless of their reliance on third parties. Banks are expected to understand their dependence on third-party providers and mitigate potential impacts on business continuity.
The FCA also expects prompt notifications from firms if they or a third-party they rely on have been subjected to a cyberattack. Delays in informing the FCA can hinder the authority’s ability to coordinate a response.
In terms of compliance, the FCA will continue to review banks’ adherence to the requirements of PS 21/3. The FCA will also engage with senior managers to assess lessons learned from operational resilience events, even if their firms were not directly affected.
Full document available here.
[Image Source: LinkedIn]