Why technology currency is a vital component of an operational resilience programme
17 June 2019
Recent prominent and sustained operational incidents have placed operational resilience high on the boardroom agenda for Financial Services firms, with regulators continuing to enhance their expectations on resilience capabilities. A number of high profile operational incidents have been caused by technology currency issues. Technology currency is the ongoing process of understanding how current an item of hardware or software is, compared to the latest available version. Managing technology currency is a vital part of operational resilience as organisations attempt to balance the cost associated with maintaining technology currency versus the risk posed.
What is the risk organisations face?
Currency issues have caused or contributed to a number of publicly reported incidents. The infamous WannaCry and NotPetya ransomware attacks exploited a vulnerability for which Microsoft had previously released security updates. However, as unsupported systems may not receive updates until much later (if at all), the ransomware critically impacted unsupported systems and systems that companies had not patched. Impacted organisations estimated that the NotPetya ransomware cost them in excess of $100 million.
The U.S. Department of Homeland Security (‘the Department’) and security researchers have shown that Advanced Persistent Threats (APT) favour attacking technology that is unsupported. In an alert (TA16-250A), the Department stated that network devices are a hacker’s ‘attack-vector of choice’ and have the propensity to have less focus from a vulnerability management programme. In 2018, a Russian retail bank lost almost $1,000,000 after hackers exploited a Cisco 800 Series Router which was unsupported since 2016.
What do we hear from the regulator?
The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and the Bank of England continue to focus on operational resilience following the publication of a joint discussion paper entitled ‘Building the UK Financial Sector’s Operational Resilience’ in July 2018.
Managing technology currency should be a fundamental part of an organisation’s operational resilience regime. Indeed, the FCA has directly commented in its 2019/2020 Business Plan on the potential for an operational incident caused by ‘complex and ageing IT systems’.
In the UK, the FCA fined a regulated firm £500,000 for failing to protect the personal information of up to 15 million people during a 2017 cyber attack after it failed to keep systems up-to-date in order to protect against vulnerabilities.
Views from the roundtables
We recently hosted two roundtable discussions, one in Edinburgh and one in London, with a number of retail banks. Based on these discussions and our experience working with leading financial services firms, we observed that maintaining technology currency is a challenge for our clients, specifically in the following areas:
1.Understanding the currency of the technology estate
To manage technology currency, firms should first understand what assets reside on their IT estate. The majority of firms present at our workshops use ServiceNow as their Configuration Management Database, with additional modules assisting with asset discovery and currency. However, firms (especially larger ones) find it difficult to fully roll out automated utilities to locate and report on assets given the complexity of legacy estates. Firms should be moving towards automation as manual processes and attestation is inherently subject to errors.
2. Maintaining currency
Firms have a desire to operate on the latest hardware and software. However, the cost associated with doing so is often prohibitive, given the complexity of legacy estates and the extent of ‘technical debt’ many organisations have. This problem is often perpetuated because projects to upgrade are de-prioritised when considered against other regulatory and transformation priorities. Firms should have a programme in place to maintain and upgrade the technology estate. Funds should be ring-fenced for this purpose and firms should consider allocating a proportion of the estimated replacement cost, spread over each year of the estimated technology lifetime to fund future replacement costs.
3. Reporting and linkage to operational resilience
Operational resilience is a key priority for the respective regulators and managing technology currency is a critical component of an operational resilience regime. Most organisations are still developing a view of end-to-end business services and the impact that currency risks may have on these processes. Completing this process and ensuring appropriate business understanding and ownership of currency risks is a fundamental component of an operational resilience programme, therefore should be prioritised accordingly.
4. Oversight of third parties
With a growing reliance on third parties, companies need a robust mechanism from which they can obtain assurance over currency risk, and wider operational resilience, at third parties. This is a key focus for the regulator with the FCA commenting in its 2019/2020 Business Plan that ‘managing the third parties is clearly a firm’s responsibility; critical services may be outsourced but responsibility can not’. Obtaining this level of visibility and assurance is an industry-wide challenge, with few firms having this level of oversight over third parties and any fourth/fifth parties which may be involved (i.e. where third parties use outsourced services). Firms should be developing minimum third party standards, with detailed technology currency and wider operational resilience requirements. These requirements should be written into standard terms and conditions and firms should carry out independent assurance over critical suppliers, validating that the third party meets the required standard.
All of the organisations that attended our rountables have differing IT estates and technologies. While the challenges and potential significant impacts they face may be common, the specific technology currency risks and the required mitigations will be unique to the specific context of an organisation, its technology estate and the risk appetite of management. Therefore, to build operational resilience and ensure an informed decision is made in respect to currency risks, it is critical that business, technology and risk stakeholders work together to identify and understand the potential impact of currency risks on key business services.
To understand more on what firms and regulators can do to drive the operational resilience agenda you can read our joint report with TheCityUK, entitled Operational resilience in financial services: time to act.