Disruption - the new reality
28 November 2018
In a speech introducing the results of the FCA’s cross-sector survey of technology and cyber resilience, Megan Butler, Executive Director of Supervision, delivered a stark message: firms must be braced for more IT and cyber incidents and do more to address the threats adequately.
The survey presents a number of interesting findings that suggest some firms have misplaced confidence when it comes to their ability to deal with disruption. This could be the result of inaccurate data or a lack of a full appreciation of the risks. It is no coincidence the survey shows that those sectors which have experienced the most high profile incidents in the past, display the greatest level of operational resilience maturity. Past events help concentrate the mind, and one of the challenges for the FCA and the PRA is to achieve this level of focus across the whole sector before something goes wrong.
And, as emphasised by Butler in her speech, there are many opportunities for things to go wrong. Consider the pace of innovation and the growing interconnectedness of the financial ecosystem, together with the increased appetite and opportunity for both state-sponsored and rogue attacks, and it is easy to feel overwhelmed by the challenges firms face. How do you effectively oversee your third party dependencies and understand what dependencies they have? How do you make sure your board has the right information upon which to make strategic and investment decisions? How do you manage the growing concentration risk posed by some of the “utility” providers such as AWS and Google? How do you make sure your IT function speaks the same language as the rest of your business? The list is endless.
Regulators are painfully aware of these challenges and are responding robustly. The Financial Policy Committee’s announcement of a pilot stress test and the joint regulator discussion paper on operational resilience, both published over the summer, clearly support the assertion that for regulators, operational resilience is as important as financial resilience.
The fact that operational resilience is high up on policy makers’ agendas was again underlined by the announcement last Friday that the Treasury Select Committee has launched an inquiry into the operational resilience of the financial sector.
But while the FCA is in no doubt that the growing threats will lead to more enforcement actions, it doesn’t have an appetite for zero failure. The regulatory response foresees that incidents will happen and its focus is as much on how firms respond and learn from the these incidents as it is on prevention.
While cyber threats may manifest themselves in a firm’s technology, the solutions largely lie with a firm’s people and culture. Having strong leadership with a deep understanding of the culture and incentives that exist in an organisation, promoting transparency and demonstrating a humility and a willingness to learn from previous incidents are all needed to counter the growing risks.
When thinking about operational resilience, the letter “C” seems to have a disproportionate role to play. It signals some of the key threats to resilience such as cyber, climate change, change programmes and concentration risk - but it also offers some of the most effective solutions: culture, collaboration and communication. Firms need to break down silos in their own organisations and the sector as a whole needs to find ways of collaborating where appropriate. Above all, the sector and its regulators need to work together to improve dialogue, transparency and testing. If the sector can achieve this, it will find that it is greater than the sum of its parts and will prove itself a force to be reckoned with.