FCA technology and cyber resilience request - five considerations for your response
08 March 2017
By Simon Chard
Last week a number of our clients received a letter from the Financial Conduct Authority (FCA) asking them to respond to a Technology and Cyber Resilience Information Request. This request seeks to gain insight into the cyber and technology resilience maturity of the FCA’s priority organisations across the financial services industry. The regulator also hopes the questionnaire will help to further persuade boards to take responsibility for managing technology resilience and cyber risks.
Following high profile failures across the financial services sector, and various studies to understand systemic risks, global regulators are increasingly focused on technology risk. As a result, there have been rapid developments in the areas of operational resilience, particularly in relation to IT resilience.
What is IT resilience?
‘Resilience’ may mean different things for different organisations or even to different functions within the same organisation. Traditionally, resilience has meant the ability to recover from an incident in the shortest time possible (e.g. business continuity and disaster recovery). Regulatory expectations now require a more proactive, end-to-end risk management capability to prevent or reduce the impact on clients and the market following failure.
Ensuring technology resilience is fit for the future, whatever it brings, is the critical challenge banks are facing today. The rate of technological change, increasing digital expectations and regulatory demands all complicate the response to this challenge. On top of this, technology resilience is now a conduct issue.
Five considerations for your response:
In this latest request for information, the FCA have not only set out the areas they would expect to be considered within Technology and Cyber Resilience but, by qualifying the response and providing clear definitions across the four levels of maturity, they have provided the clearest indication yet of what they expect FS organisations to be able to demonstrate.
- Review and accountability - plan your review process and provide time for independent review and sign off by key management and approved persons.
- Business as usual - demonstrate that senior level ongoing engagement and challenge on resilience is part of your culture and not a one off exercise.
- The 360 degree view - ensure this is not just a technology story. Include viewpoints from business management, risk management and internal audit.
- Conduct first - remember this is a response to the conduct regulator. Demonstrate how your prioritisations and risk decisions have customer outcomes and market integrity at their heart.
- Evidence base - ensure you catalogue your evidence and key contacts to support your response and any subsequent review process by the regulator.