At the start of October, I wrote an article which explained how a discussion paper jointly issued by The Bank of England, The Prudential Regulation Authority and The Financial Conduct Authority has the potential to change the way all financial institutions might be asked to operate in the future. The paper goes by the name of DP 01/18 and aims to achieve a ‘step-change’ in the industry’s operational resilience.
The UK authorities’ involvement shows their concern about how the inter-connectedness of the financial system makes it vulnerable, and that they recognise the continuing risk of cyber threats. The work will assess how the continuity of an organisation’s services might be maintained, no matter what has disrupted them.
Later in the month, the news highlighted how this was becoming a greater priority for the regulators. So what’s changed?
‘Unacceptable’ levels of disruption
At the end of October, the UK Treasury Committee reported the frequency of online banking crashes and customer disruption had become unacceptable. Steve Baker, the Committee’s lead member for this inquiry was quoted as saying:
“The number of IT failures that have occurred in the financial services sector, including TSB, Visa and Barclays, and the harm caused to consumers is unacceptable. The regulators must take action to improve the operational resilience of financial services sector firms. They should increase financial sector levies if greater resources are required and ensure individuals and firms are held to account for their role in IT failures and that firms quickly resolve customer complaints and award compensation. For too long, financial institutions issue hollow words after their systems have failed, which is of no help to customers left cashless and cut off.”
Higher operational costs
In addition there were other important recommendations, notably that financial sector levies should increase so that regulators can hire experienced staff; that regulators must use enforcement powers to ensure failures do not go unpunished, and that the concentrated cloud services sector should be regulated.
In my original article I explained that the report’s motives are undoubtedly sound and the effect across the industry will be positive. The nation has to be confident that the economy as a whole can respond to a major operational crisis affecting either an individual company or the entire system. However, more regulation will add another level of governance and that means higher operational costs.
At the start of October, I suggested that this could lead to higher prices. Now we are beginning to see more detail and stronger language in the form of levies, punitive action against failure and added regulation for certain critical functions.
Large and medium organisations all have robust operational plans and many small and medium size enterprises have thought through how they would operate in the event of a disaster. However, with more controls and rules designed to beef up this process, all organisations are going to have to apply more due diligence and put in place more controls and contingencies.
Clock is ticking
Larger organisations, though, will have to analyse the reliability of their suppliers much more thoroughly, and define how they want them to operate if they want to continue the relationship. I do not expect this to happen within the next few months but it’s likely that from the second quarter of 2020 we’ll be seeing this issue take front and centre stage.
Most companies will be asking, ‘what do we need to do about it?’ The answer depends on their leaders’ attitude to risk. Without a plan, your company is exposed to operational and reputational risk if there is a failure, but the cost and time involved may be considered too much relative to the risk.
However, in future an individual’s attitude to risk will be less of a consideration. The regulation will define minimum standards and expectations. As the threat of cyber attacks continues it could be wise to stay ahead of the regulation and put more time into planning.