Amidst the backdrop of the COVID-19 pandemic, businesses can no longer ignore the risk of technology outages or the threat of increasingly sophisticated cyberattacks. This is especially true of financial firms, which are 300 times more likely than other institutions to experience cyberattacks, according to a report by the Boston Consulting Group. That’s why the UK government has launched a new regulatory framework-Operational Resilience- taking effect on March 31 2022 that outlines how organisations in the financial services industry must build resilience into their business.
Here’s what you should know about the new regulation and the path forward for organisations affected by it.
What is operational resilience?
The term “operational resilience” has become the defacto name of the regulation and is as defined by the regulators – Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) – the ability to prevent, adapt and respond to, recover, and learn from operational disruption. These disruptions include risks like cyber threats, technology outages, and accidental data loss caused by human error.
Operational resilience goes beyond business continuity planning and involves developing a comprehensive framework that covers all potential impacts, risk factors and tolerance levels affecting a business’s successful operation.
The new operational resilience rules will apply to a wide range of institutions in, and related to the financial services industry, such as banks, investment firms, insurance companies, building societies, payment service providers and insurers.
Operational resilience requirements
By March 31, 2022 in-scope firms must have formalised and documented plans that:
- identify their important business services and data, determined by considering the impact of those service on consumers
- define an impact and recovery tolerance for disruption to each of those services
- articulate mitigation strategies and demonstrable processes to ensure data integrity, security, and resiliency in the event of plausible/severe/extreme scenarios
A further requirement to remain within impact tolerances for each important business service will only apply in full from March 2025. This three-year transition period also gives in-scope firms extra time to refine their scenario testing and mapping exercises.
What steps can companies take to comply?
The past few years have shown us that financial firms must adapt to new ways of working, particularly with cloud-based tools. The operational resilience regulation is yet another reason for these organisations to accelerate their digital transformations and embrace cloud technology.
However, for all of the advantages of moving to the cloud, like scalability, cost-savings, and reliability, there is also a responsibility that comes with housing all of your data in the cloud: you’re on the hook for what happens to it. While you might be thinking, “my SaaS data is protected because it’s in the cloud”, nearly all SaaS apps require shared responsibility for keeping data safe. That means you can count on your SaaS provider to ensure the security and integrity of the platform, but as a customer, you are responsible for the data you put into it, and who you allow to access it.
SaaS solutions like Salesforce, ServiceNow, and Microsoft Dynamics 365 guarantee very high uptime for customers, so while downtime is unlikely, reliability and resiliency are not the same thing.Reliability is the system or platform having limited downtime, whereas resiliency is the system recovering quickly when disruptions inevitably occur. This regulation aims to ensure the embedding of capabilities, processes, behaviours and systems into the everyday running of financial organisations so that in the face of disruption, they can continue with their mission.
So, where to start? This is a significant task, but there are steps that organisations can begin taking now to assess and plan for requisite updates to their systems, policies, and practises. Some good questions to begin considering are:
- Where does critical data currently reside?
- How protected is that data from internal and external threats?
- Who can access that data and how are permissions controlled?
- How prepared is the organisation in the event that critical data is compromised?
- Is there a data backup and recovery process in place, and if so, how robust is it?
To comply with this new framework, investing in technology that can help you mitigate/recover from data loss and corruption is critical. At Own, our solutions have already helped many of the world's largest financial services organisations navigate complex regulations, protect their critical data and minimise risk.
In our next post, we’ll dig deeper how Own’s solutions can help you maintain operational resilience. In the meantime, learn more about Own here.