UK watchdogs to tighten incident reporting requirements

London-based Jack Armstrong of EY
Jack Armstrong


Two major UK regulators, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), together with the country’s central bank, the Bank of England (BoE), published parallel consultation papers on operational incident and third-party reporting last week.

The move is largely aimed at aligning the UK with key regulations that have been adopted by regulators across Europe, most notably the Digital Operational Resilience Act (DORA), which is coming into effect in only a few weeks from now, on January 17.

Analysing the consultation documents, Jack Armstrong, a partner at EY specialised in operational resilience, called the UK proposals “a necessary evolution of the UK regulations to enhance visibility of operational resilience and systemic risks across the sector.”

So what are the key elements of the UK proposals?

“[They] aim to standardise incident reporting and ensure information is shared with regulators in a timely and consistent manner,” London-based Armstrong explained in a recent LinkedIn post.

To do this, they outline a range of definitions and guidelines, such as the definition of ‘operational incidents’. In other words, a proposed definition of single events or a series of linked events that impact service delivery to external end users or compromise the availability, authenticity, integrity, or confidentiality of data.

In addition, firms must determine if an incident meets the thresholds for significant impact.

“These thresholds should align with the level at which an operational incident poses a risk to regulatory objectives, such as consumer harm, UK financial system stability, firm safety and soundness or policyholder protection,” Armstrong, who leads EY’s UK financial services operational resilience solution, pointed out.


“This is a necessary evolution of the UK regulations to enhance visibility of operational resilience and systemic risks across the sector.”

– Jack Armstrong

Firms should also consider Consumer Duty requirements, including service adequacy, reputational impact, legal compliance and data safeguarding.

A phased reporting approach is proposed: The regulators suggest a phased reporting approach for incidents that meet defined thresholds, such as the initial report being submitted to the PRA within 24 hours of determining that an incident has breached the threshold, while the FCA demands it to be “as soon as practical”.

However, both regulators require an intermediate report whenever there are significant changes in the incidents status.

Finally, both watchdogs demand a final report within 30 working days post-incident resolution, extendable to 60 working days if necessary.

“This report must include a full impact assessment, lessons learned and root causes,” Armstrong noted.
He added that “given firms’ increasing reliance on third-party services, the proposals expand the scope of reporting to include material outsourcing and non-outsourcing third-party arrangements and outline following definitions and guidelines.”

Firms must determine if an arrangement is ‘material’ based on it’s the third parties’ risk to regulatory objectives, such as consumer harm, UK financial system stability, firm safety and soundness or policyholder protection in the event of failure or disruption.

Moreover, firms must maintain and annually submit a structured register of material third-party arrangements to ensure accurate records, Armstrong explained.

Finally, firms must notify regulators of material third-party arrangements requiring high due diligence, risk management, or governance, using a standardised template aligned with the register.

DORA

Armstrong touches on the question whether firms can leverage the changes implemented for DORA as he explained that “while DORA focuses on high-impact incidents on critical or important functions, these proposals cover a broader range of operational incidents.”

He added: “Both share underlying data similarities, allowing firms to leverage DORA capabilities for UK incident reporting.”

The DORA rules aim to strengthen oversight, operational resilience and the relationship between banks and other financial institutions and the firms that manage, run, test and update their software infrastructure.

The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) have been tasked to jointly establish, roll out and enforce the EU’s new ICT framework.

Both DORA and UK regulations emphasise third-party risk management but differ in detail.

“The alignment between annual register requirements may reduce firms’ implementation effort and will ensure transparency and accountability,” Armstrong said.

While DORA comes into force in four weeks, the UK is still in its early stages as the consultation period runs until 13 March 2025, with new rules set for implementation no earlier than the second half of 2025 by the FCA and the second half of 2026 by the PRA.

Overall, Armstrong called the UK consultation paper “a significant step towards strengthening the operational resilience of the UK financial sector.”

In fact, by establishing a robust framework for reporting operational incidents and third-party arrangements, “the PRA aims to enhance oversight and support the operational resilience of the UK financial sector,” he concluded.

ECB warning

As the implementation deadline for DORA draws near, on 17 January of next year so in less than four weeks, banks and financial firms across Europe are rushing to make sense of the new rules and, perhaps more importantly, to be fully compliant by the end of January 2025.

Many European banks are still not yet prepared for DORA. At least that was the stark warning from the European Central Bank (ECB) last month.

The ECB stated that a host of banks across Europe still face major IT challenges and their software testing practices are not up to scratch.

In fact, IT security risk assessment frameworks at numerous European financial institutions are in need of an upgrade, according to the central bank.

The ECB, the central bank of the European Union countries which have adopted the euro, wrote in a damning article in its latest compliance newsletter that “some banks are still facing challenges in implementing basic security controls and many key areas remain insufficiently developed in certain banks.”

The central bank stressed “these areas include security testing, vulnerability management, network segmentation, security detection, response and recovery capabilities and identity and access management.”

Moreover, “IT security risk assessment frameworks require significant improvement,” the ECB observed.

As DORA’s deadline rapidly approaches, Jonathan Armstrong, a partner at Punter Southall Law and expert in compliance and technology regulation and not related to EY’s Jack Armstrong, agrees with the ECB and warns firms should not underestimate the impact of the new regulation.

“DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions,” explained Armstrong, pointing out it applies to banks, insurers, investment firms, and other financial institutions, as well as to key third-party service providers, like cloud computing services.

Jonathan Armstrong

“At its core is the recognition that financial systems across the EU are part of each country’s critical national infrastructure,” he continued, adding that “many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU.”

Armstrong singled out the global digital CrowdStrike drama, when – in July – millions of computers went down, primarily in the US, following a faulty software test. It demonstrated how “interconnected the global infrastructure is,” he added.

“DORA has caused concern in the financial services, tech and cyber security communities so it’s important for businesses to understand fully their responsibilities,” Armstrong wrote in recent legal analysis.

Enforcement

EU Member States will be responsible for establishing the penalties and remedial measures under DORA, which can apply to both natural and legal persons.

Additionally, Member States can apply the penalties or remedial measures of a legal entity to members of its management body and other responsible individuals.

“Member States may also choose to establish criminal penalties for breaches of DORA. In this respect DORA mirrors another recent compliance trend with a concentration on personal liability in an effort to reinforce cybersecurity measures,” Armstrong observed.

DORA spells out detailed criteria for the classification, management, and reporting of ICT risks.
It also includes comprehensive recurring testing of these systems and a set of requirements for managing and monitoring ICT-related risks in the finance sector.

Not just finance firms

What is important to note is that the new regulation expands its scope beyond traditional financial institutions to include the management of technology services by third parties and organisations such as insurance companies and reinsurers.

The DORA regulation sets out specific requirements with regards to ICT risk management and governance, incident reporting, third-party risk management as well as operational resilience testing and threat sharing.

With regards to this last element, ICT systems must be tested regularly to evaluate their performance, identify ‌vulnerabilities, and repair them in a timely manner.

In addition, financial institutions must establish agreements to share information and intelligence about threats and vulnerabilities.

Armstrong was keen to stress that any organisation that is in the DORA regime, or provides services to those that are, will need to consider how to meet its responsibilities under DORA.

“This is likely to be a significant project for most and will include steps such as a gap analysis, to focus on the work that needs to be done, training on operational resilience, which is likely to include the IT team, communications professionals and the compliance function.”

He said that for banks and financial services organisations, “working out key dependencies, mapping devices and storage locations” may be vital, namely, to ensure that compliant contracts are in place with all third-party providers.

In summary, Armstrong warns that by January 17 “financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements.”


UPCOMING EVENTS


DO NOT MISS


QA FINANCIAL FORUM LONDON: RECAP

In September, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.

The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.

Please check our special post-conference flipbook by clicking here.


READ MORE


Become a QA Financial subscriber – for FREE

* Receive our weekly newsletter * Priority invitations to our Forum events

REGISTER HERE TODAY