The transition period for the UK’s operational resilience frameworks will soon enter its second year and UK-based firms need to demonstrate that they are making measurable progress towards assessing the resilience of their important business services (IBS) and taking remedial action where necessary. Key to this is a firm’s capability to map the systems and vulnerabilities associated with each IBS and to develop testing methods based on “severe but plausible” scenarios. Supervisors expect a less theoretical approach to testing, with scenarios covering events such as data integrity being compromised and disruptions resulting from CTP failures.
Supervisors will also look for evidence that firms are investing in their resilience and embedding it into their routine activities. In this context, firms should explore how they can leverage the alignment of capabilities between operational resilience, TP risk management, and financial resilience functions. Finally, UK regulators are expected to consult on targeted initiatives in 2023, such as an operational incident reporting framework, which will put further pressure on firms’ compliance responsibilities.
The clock is also now ticking down on the 24-month implementation period for the EU’s DORA Regulation, and work will need to begin in 2023 to meet the January 2025 compliance deadline. While the DORA’s ICT risk management requirements are similar to existing European Supervisory Authorities guidelines and will allow firms to leverage their previous work, some of the DORA’s requirements are more prescriptive. For example, firms need to articulate tolerances for disruption linked to their critical or important functions (CIFs) and to carry out concentration risk assessments of their TP exposures.
The DORA’s incident reporting and cyber threat notification rules could become significant compliance challenges, and therefore the technical details from the regulatory technical standards (RTS) that are due to be consulted on in H2 of 2023 will be important. Firms should equally pay close attention to resilience testing RTSs, particularly if they do not currently carry out a threat led penetration testing programme but are at risk of being considered sufficiently significant under the forthcoming technical standards and thereby being scoped into the “advanced testing” requirement.
Running in parallel to the DORA implementation, EU supervisors, such as the European Central Bank, will continue to expand their capabilities in cyber and IT risk and carry out further targeted investigations into firms’ cyber resilience in 2023. For any domestically significant firms or larger, these may be substantial exercises that will require an organisation-wide response. The regulatory expectation around the close involvement of senior management and the Board will put even greater pressure on firms to build knowledge of cyber, IT risk, and operational resilience issues among senior leadership.
Regulators in 2023 will increasingly look at the sectoral resilience of financial services (FS) more broadly, particularly in relation to CTPs.
The DORA’s CTP regime introduces the world’s first oversight framework for CTPs. UK regulators have also followed suit with a discussion paper in July 2022 and a subsequent consultation paper is due in 2023. Key issues for the UK this year will be around setting a standard for the resilience of CTPs and the possibilities for promoting international alignment. Some cross-jurisdictional differences are already visible, with the UK focusing on the oversight of significant services only and the EU opting for a broader definition.
Firms should consider which of their providers may be designated as CTPs and identify concentration risks that may attract further supervisory scrutiny. The development of CTP oversight frameworks will not replace firms’ responsibility to conduct TP risk management or manage the operational resilience vulnerabilities associated with TP exposures; something that is emerging as the most challenging area in building operational resilience. To meet supervisory expectations, firms must develop exit strategies and business continuity plans for their TP exposures, including substitute delivery methods and systems where needed.
Regulators will also make progress on related initiatives that target the cyber resilience of the technology ecosystem that FS firms operate in. The EU’s recently proposed Cyber Resilience Act (CRA) may be agreed by the end of 2023. The CRA is expected to include the FS sector in its scope, compelling firms to provide more information and to comply with a set of standards on the cybersecurity of the digital products they develop in house.
Implementing operational resilience
TP risk management
Convergence with other policies/frameworks