While cyber risk has taken much of the attention in the news, the UK government and regulators have been increasing their focus more generally on operational resilience and its impact on the economy
The government monitors critical national infrastructure (CNI) closely, and both finance and telecommunications are regarded as CNI. The Cabinet Office publishes a public summary of Sector Security and Resilience Plans annually. The report notes that overall the finance sector has made good progress in improving resilience to threats, and indicated that future resilience exercises will be necessary, particularly in financial services:
Over the next year, the Financial Authorities will deliver a comprehensive work programme to improve the resilience of the finance sector. We will ensure that we have the tools to deliver improved resilience, including drawing on the expertise of the National Cyber Security Centre and the Centre for the Protection of National Infrastructure.
We will help the sector improve their operational resilience, including through exercises involving industry. We will also continue to improve our collective incident response capability and work closely with our international partners to develop our understanding of evolving threats to the global financial system. Source: Cabinet Office sector security and resilience plans (page 16)
As well as the recent focus on outsourcing, in particular the European Banking Association's (EBA's) final guidance on outsourcing agreements, there is a wider focus on concepts of business continuity and operational resilience. The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) accelerated the discussion more formally with its discussion paper (July 2018) "Building the UK Financial Sector's Operational Resilience".
This paper identified a concept of operational resilience to bring this to the attention of boards and senior executives in regulated firms. The paper concludes that vital elements of key business services are being delivered in the financial services sector by companies operating outside the regulatory perimeter, often concentrated among a few major providers. Increasingly this concentration risk includes the use of key cloud providers, including Amazon Web Services and Microsoft Azure amongst others. The report was followed by a paper from UK Finance and EY "operational risk in financial services" and a second report...