The UK government has introduced a Software Security Code of Practice, aimed at enhancing the security and resilience of software used by banks, financial services firms, as well as other businesses and organisations.
The initiative seeks to assist software vendors and their customers in reducing the likelihood and impact of supply chain attacks and other incidents linked to vulnerabilities in software development and maintenance.
Developed through consultation with the UK’s technical authority for cyber security, the National Cyber Security Centre (NCSC), and dozens of industry experts and academia, the Code of Practice outlines 14 key principles divided into four themes: Secure Design and Development, Build Environment Security, Secure Deployment and Maintenance, and Communication with Customers.
The principles are intended to provide a consistent baseline for software security across the market, regardless of the size or sector of the vendor, according to the NCSC.
The Canadian government is expected to soon adopt the Code of Practice as well, as the NCSC’s initiative was co-sealed by the Canadian Centre for Cyber Security (CCCS).
Key principles
According to the UK government, the principles outlined in the Code are considered fundamental and achievable measures that can help secure the digital infrastructure underpinning business operations.
Organisations are encouraged to implement secure development frameworks, assess risks associated with third-party components, and conduct rigorous testing of software and updates prior to deployment.
Under the theme of Secure Design and Development, the Code emphasizes the need for secure-by-design and secure-by-default principles to be embedded throughout the software lifecycle.
Vendor organisations are urged to follow established secure development frameworks and maintain clear processes for identifying and managing vulnerabilities.
The Build Environment Security theme highlights the importance of safeguarding build environments against unauthorized access. Firms are expected to enforce strict access controls, log all changes, and conduct regular security assessments to maintain software integrity.
The Secure Deployment and Maintenance theme stresses the importance of maintaining software security throughout its lifecycle. Organisations are encouraged to implement vulnerability disclosure processes, notify customers of potential security risks, and provide timely updates and patches to mitigate identified vulnerabilities.
In the Communication with Customers theme, the Code underlines the need for transparency regarding the level of support and maintenance offered for software.
Vendors are also expected to inform customers at least one year in advance before ending support for any software product.
“Firms must treat cyber security as an absolute priority.”
– Pat McFadden
The UK government is providing a self-assessment form to accompany the Code of Practice, allowing organisations to monitor internal compliance and offer security assurance to customers. The form is designed to be adaptable, enabling firms to demonstrate compliance based on their specific processes and risk profiles.
Additionally, the government stressed it is developing a certification scheme aligned with the Code’s principles, further incentivizing adherence to software security best practices. More information on the certification process is expected to be released in due course, according to Pat McFadden, Chancellor of the Duchy of Lancaster.
Speaking on behalf of the UK government, McFadden stressed that businesses can no longer afford to let digital standards slip.
“Attacks need to be a wake-up call for every business in the UK. In a world where the cybercriminals targeting us are relentless in their pursuit of profit – with attempts being made every hour of every day – all firms and companies must treat cyber security as an absolute priority,” he said.
“We’ve watched in real-time the disruption attacks have caused. They serve as a powerful reminder that just as you would never leave your car or your house unlocked on your way to work. We have to treat our digital shop fronts the same way,” McFadden warned.
Digital resilience efforts
A range of efforts have been undertaken so far this year in the UK to boost digital resilience in a host of sectors.
In the financial services space, the UK central bank, the Bank of England (BoE), launched a consultation recently around a number of regulatory plans that should strengthen digital resilience oversight and reporting in Britain.
The consultation paper published by the BoE sets out the Prudential Regulation Authority’s (PRA) recent proposals “to set requirements in rules and expectations for firms to report operational incidents and their material third-party arrangements,” the banking authority said.
The PRA, alongside the financial services watchdog, the Financial Conduct Authority (FCA), aim to introduce new rules that will bring the UK in line with key regulations across Europe, most notably the Digital Operational Resilience Act (DORA), which came into force on January 17.
“[It] proposes to establish a framework for timely, accurate and consistent reporting of certain operational incidents, and notification and reporting of material third-party arrangements,” the BoE clarified.
The Bank stressed “the proposals set out clear and robust requirements and expectations for regulatory reporting which aim to support the operational resilience of the UK financial sector and enhance understanding of sector threats and vulnerabilities.”
The BoE highlighted that the proposed regulatory regime would apply to all UK banks, building societies, most investment firms and branches of overseas banks, most solvency firms and any other PRA-regulated firms.
The Prudential Regulation Authority is a UK financial services regulatory body, formed as one of the successors to the Financial Services Authority (FSA). It is responsible for the prudential regulation and supervision of banks, building societies, credit unions, insurers and major investment firms.
The Bank is inviting all relevant parties to submit their responses and share their views before March 13 of this year.
The BoE stressed it is “a key priority” to improve the operational resilience of firms and protect the wider financial sector from the impact of operational disruptions as the digital infrastructure of many banks, finance firms and the wider industry has become more complex.
“As the financial sector becomes increasingly interconnected, complex and dynamic, strengthening operational resilience enables firms and the financial sector to more effectively deal with risks to prevent, adapt, respond to, recover, and learn from operational disruptions,” the Bank said.
The new rules “align closely” with international standards such as DORA, analysed John Ho, head of legal and financial markets at Standard Chartered Bank.
“The final rules, when implemented, will not only strengthen the resilience of the services that critical third parties provide to individual firms, but will improve the resilience of the UK financial services sector as a whole,” he explained.
Ho added: “By strengthening resilience and promoting market stability, this will ensure the UK is an attractive place to do business.”
The BoE argued the financial services sector is in need of new rules and regulation, referring to a 2019 Treasury Select Committee report which examined 2018 IT failures in the financial services sector.
The report back then made a number of recommendations for UK regulators, including that the Bank, PRA and FCA should assess the accuracy and consistency of incident reporting data, clarify standards, guidance and definitions for industry and consider the need to expand current reporting requirements.
The PRA responded to the TSC report by publicly committing to review its regulatory reporting requirements for operational resilience, however the regulator postponed the introduction of incident reporting proposals due to the Covid–19 pandemic, as it did not want to place additional burden on firms “during a challenging period,” as the BoE put it.
Basically, the latest incident reporting proposals “seek to address the relevant recommendations made in the TSC report,” the Bank clarified.
The Bank’s consultation came only months after, in November 2024, PSR published a regulatory regime for the supervision of critical third parties (CTPs).
“It recognises the risk that severe disruption arising from certain third parties could pose to the safety and soundness of firms, policyholder protection and the financial stability of the UK,” the BoE stressed.
“To support the identification of CTPs and assess where critical nodes of failure could arise, the PRA needs to collect adequate data on firms’ material third-party arrangements,” it added.
Vulnerability disclosure rules
Interestingly, the BoE dropped a controversial vulnerability disclosure rule at the end of last year.
In November 2024, the banking authority withdrew proposals that would force third-party players to disclose vulnerabilities.
In fact, the BoE acknowledged that requiring third-party firms to “openly” announce or share IT vulnerabilities would “go against plans to reduce risks”.
“In various parts of the regulators’ draft rules and draft supervisory statement, ‘vulnerability’ was used in a general, ordinary-language sense,” the Bank wrote.
It explained that “respondents were particularly concerned about potential requirements or expectations on critical third parties to disclose unremedied vulnerabilities – in the cyber-security sense – to the regulators and to the firms they provide systemic third party services, as this could increase the risk of threat actors exploiting these vulnerabilities, which would go against the overall objective.”
The Bank said, after reviewing all uses of the term in its frameworks and overall rules, it had replaced the word ‘vulnerability’ with “areas of improvement”, as well as removing “any requirements and expectations” to “disclose unremedied vulnerabilities (in the cyber-security sense) to the regulators and to the firms they provide systemic third party services to.”
Discussing the rules on his LinkedIn account, Francesco Fulcoli, chief compliance and risk officer at Flagstone, posted that “disruptions caused by cyber-attacks, power outages, or system failures could cascade through the financial system, undermining public confidence and economic stability.”
“The new regime complements existing operational resilience and outsourcing rules. Firms must still ensure they manage risks effectively, but the oversight regime adds an essential layer of protection by directly regulating the resilience of CTPs,” he wrote.
THIS WEEK
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
WATCH NOW
READ MORE
- Why real-time monitoring and scenario testing are becoming core QA disciplines
- BankDhofar takes an automated approach to strengthen QA
- Banks warned AI still fails on real-world software testing tasks
- SEC’s AI emphasis drives new QA and testing imperatives for US banks
- Inside the chaos: The new reliability discipline reshaping banking QA
