FCA technology and cyber resilience request - five considerations for your response

08 March 2017

By Simon Chard 

Last week a number of our clients received a letter from the Financial Conduct Authority (FCA) asking them to respond to a Technology and Cyber Resilience Information Request. This request seeks to gain insight into the cyber and technology resilience maturity of the FCA’s priority organisations across the financial services industry. The regulator also hopes the questionnaire will help to further persuade boards to take responsibility for managing technology resilience and cyber risks.

Following high profile failures across the financial services sector, and various studies to understand systemic risks, global regulators are increasingly focused on technology risk. As a result, there have been rapid developments in the areas of operational resilience, particularly in relation to IT resilience.

What is IT resilience?

‘Resilience’ may mean different things for different organisations or even to different functions within the same organisation. Traditionally, resilience has meant the ability to recover from an incident in the shortest time possible (e.g. business continuity and disaster recovery). Regulatory expectations now require a more proactive, end-to-end risk management capability to prevent or reduce the impact on clients and the market following failure.

Ensuring technology resilience is fit for the future, whatever it brings, is the critical challenge banks are facing today. The rate of technological change, increasing digital expectations and regulatory demands all complicate the response to this challenge. On top of this, technology resilience is now a conduct issue.

Five considerations for your response:

In this latest request for information, the FCA have not only set out the areas they would expect to be considered within Technology and Cyber Resilience but, by qualifying the response and providing clear definitions across the four levels of maturity, they have provided the clearest indication yet of what they expect FS organisations to be able to demonstrate.

  • Review and accountability - plan your review process and provide time for independent review and sign off by key management and approved persons.
  • Business as usual - demonstrate that senior level ongoing engagement and challenge on resilience is part of your culture and not a one off exercise.
  • The 360 degree view - ensure this is not just a technology story. Include viewpoints from business management, risk management and internal audit.
  • Conduct first - remember this is a response to the conduct regulator. Demonstrate how your prioritisations and risk decisions have customer outcomes and market integrity at their heart.
  • Evidence base - ensure you catalogue your evidence and key contacts to support your response and any subsequent review process by the regulator.

  View Simon Chard's profile on LinkedIn   



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.