New rules mean financial organisations will have to ensure business critical functions continue operate even during periods of huge disruption

Tom Richards, Systems and Storage Practice lead, Northdoor plc

New FCA guidance has come into force which will see organisations across the financial sector have to identify important areas of their business and ensure that they can continue functioning during any disruption.

With the pandemic and the fact that cyberattacks are becoming increasingly sophisticated and numerous, the FCA is looking to ensure that organisations across the sector are as well prepared as possible. This guidance started as a discussion paper in 2018 and organisations now have until March 2025 to ensure adherence.

Although there is a three-year onboarding process, companies should have already identified their important business services, set impact tolerances for the maximum tolerant disruption and carried out mapping and testing to a level of sophistication necessary to do so.

Which financial sectors must adhere to new rules and guidance?

The FCA operational resilience rules and guidance is a joint venture between the FCA, Bank of England and Prudential Regulation Authority (PRA) and as such much of the financial sector is covered including:

• Banks
• Building societies
• PRA-designated investment firms
• Insurers
• Recognised Investment Exchanges
• Enhanced scope Senior Managers & Certification Regime (SM&CR) firms
• Entities authorised and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011.

A handful of the bigger financial organisations have worked alongside the three regulatory bodies in putting this regulation in place and so are already ahead of the game. However, most other companies will be only just be starting to think about what they need to put into place.

What do organisations need to do and how long have they got?

To ensure that you are adhering to these new guidelines, companies will have to look at a broad range of activities connected to governance, risk management and compliance. The key to success though is service discovery and classification, as well as having the people, processes and technology in place.

The deadline for adherence is March 2025, but there are incentives in place for those that achieve this sooner as it will help to build stability and trust in the UK financial sector. Therefore, businesses will have to quickly work out what critical systems serve clients and what impact there would be if they lost these systems, or they couldn’t deliver services to their customers.

They will need to determine the maximum outage they could suffer without causing undue harm to the business.  This will be a business-led conversation at board level to establish what services they could run without and for how long.  Financial services institutions will need to put measures in place to check that they never go beyond the threshold set.

The last two years have shown why these steps are so incredibly important. The impact of the pandemic itself as well as the resulting changes to the workplace have made the financial sector a more tempting target for cybercriminals. Ensuring that the critical services can be continued no matter the crisis will help not just the company, but the sector as a whole.

Discovery, people and processes to play a key role

The FCA’s operational resilience is in many ways similar to GDPR as discovery, people and processes will play a key role. The guidance is designed to help financial organisations ensure that they resilient for consumers, firms and financial markets.

As we have seen over the course of the past five years, cyberattacks on financial sector organisations are not just having a huge impact on the specific business but also on customers and the wider market. The aim of the guidance is to ensure that organisations implement operational resilient systems that can absorb shocks rather than compound them.

In order to achieve this they need to ensure that they build resilience in right the way. Organisations need to consider how the whole architecture can be made more resilient with a mission statement that outlines this as a goal that the organisation subsequently designs back from.

Initial task checklist

With so many firms likely to be behind schedule or indeed not even begun the initial processes, there are some key tasks that need to be implemented urgently.

If you’re one of these firms, you will need to immediately:

• Identify your important business services that, if disrupted, could cause intolerable harm to consumers of your firm or risk to market integrity, threaten your firm’s viability or cause instability in the financial system.
• Set impact tolerances for the maximum tolerable disruption to these services.
• Carryout mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances and identify any vulnerabilities in your operational resilience.
• Conduct lessons learnt exercises to identify, prioritise, and invest in your ability to respond and recover from disruptions as effectively as possible.
• Develop internal and external communications plans for when important business services are disrupted.
• Prepare self-assessment documentation.

Like the introduction of many regulations, most notably GDPR, the process of adherence can on the face of it look a daunting task. Many are turning to independent consultancies to help them through the processes, identify the key functions and add layers of resilience to help ensure business continuity.

Far from being a daunting task this should be seen as an opportunity.  Cyberattacks are only likely to get more numerous and sophisticated over the coming months and years. Therefore, ensuring that you can continue to service customers even during the greatest disruption is not only good for business, it enhances reputation amongst customers and potential customers and thwarts the growing menace of cybercriminals.