Are you ready for (Digital) Operational Resilience?
The adverse consequences of business disruptions, whether caused by malicious actors’ acts, issues at third-party service providers or internal change initiatives, have been well publicised in recent months across all sectors.
Operational resilience refers to an organisation’s capability to withstand, adapt to, and recover from such unexpected disruptions. A key priority for supervisory authorities, especially in financial services, has been to put in place a stronger regulatory framework to promote the operational resilience of firms and market infrastructures. Various converging initiatives are underway across jurisdictions at an international level.
Given the imminent deadlines, financial services firms in the UK and Europe should be ready or in the final stages of their preparations for achieving operational resilience.
In the UK, the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) and the Bank of England have adopted a joint approach to Operational Resilience and published policy statements in March 2021. Financial services firms have until 31 March 2025 to demonstrate that they can maintain their important business services within impact tolerances in the event of severe disruption.
Important business services are those services a firm provides which, if disrupted, could:
- pose a risk to a firm’s safety and soundness or, the financial stability of the UK (PRA objective)
- potentially cause intolerable harm to the consumers of the firm’s services or risk to market integrity – i.e. soundness, stability or resilience of the UK financial system (FCA objective)
An impact tolerance is the maximum tolerable level of disruption to an important business service assuming that disruption to the supporting systems and processes will occur.
Other sectors, such as Telecoms, have comparable initiatives. (For more details, you may refer to our article on the Telecommunications Security Act at https://xcinaconsulting.com/whitepapers/telecommunications-security-act/ )
A reminder of the UK financial services requirements
The operational resilience rules came into force on 31 March 2022, by which time firms were expected to:
- Identify their important business services
- Set impact tolerances for each important business service
- Identify and map the resources supporting the important business services
- Conduct scenario testing to assess the ability to remain within impact tolerances
- Develop internal and external communications plans
- Maintain a self-assessment document detailing the firm’s Operational Resilience journey
- Make Operational Resilience a priority at Board and Executive levels, with a clear Governance framework
After 31 March 2022, firms need to review their important business services at least annually or whenever there is a material change.
No later than 31 March 2025, firms must be capable of maintaining all important business services within their respective impact tolerances in severe but plausible scenarios. Firms must have made any necessary investments and remediation to enable them to operate consistently within their impact tolerances.
After 31 March 2025, maintaining operational resilience will be a dynamic activity. Firms should then have effective strategies, processes and systems in place to manage operational resilience.
(For more details, you may refer to our Operational Resilience and Third-Party Risk Management article series at https://xcinaconsulting.com/whitepapers/operational-resilience-third-party-risk-management/ ).
Critical Third Parties
On 12 November 2024, the UK regulators published the Critical Third Parties (CTP) regime which focuses on providers whose service disruptions could threaten UK financial stability. CTP can be viewed as an extension to the existing UK Operational Resilience Regime, with similar requirements being applied to entities in scope. His Majesty’s Treasury (HMT) can designate a third party as critical following established criteria, on recommendation from regulators.
Critical third parties are likely to include service providers with a significant or systemic footprint in supporting financial services firms’ important business services. They are unlikely to include financial services firms which are already covered by existing operational resilience requirements. The regulators are expected to recommend the first candidates for CTP designation to HMT in early 2025. CTPs must submit an interim self-assessment against the regime’s resilience requirements within 3 months of being designated, and a full self-assessment every 12 months.
EU requirements – the Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025 to firms providing financial services in the EU.
DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. The requirements are contained in the DORA regulation and supporting technical standards. DORA requirements are fairly detailed and prescriptive, and can be themed across the following 6 pillars:
- ICT risk management – Implement a more robust and comprehensive ICT Risk Management framework, to support firms to mitigate their exposure to ICT failure.
- ICT incident reporting – Adopt standardised processes to classify, communicate (to regulators and clients), and report upon as part of a holistic incident management capability.
- ICT third-party risk management – Recontract for third-party ICT services, introducing clauses for stronger monitoring and oversight, and Service Level Agreements to better manage third-party risk.
- Digital operational resilience testing – Implement and operate a comprehensive suite of tests, to continually ratify the digital resilience footing of the organisation.
- Information sharing – Exchange cyber threat information and intelligence with peers to improve readiness and response capability.
- Oversight framework for critical ICT third-party providers
For more details, you may refer to https://xcinaconsulting.com/news/are-you-ready-for-dora/
Focusing on Testing
As both the UK Operational Resilience and DORA deadlines are looming, a key focus of many firms recently has been on Scenario Testing or Digital Operational Resilience Testing. One of the challenges organisations are grappling with is the potential disconnect between the technical testing programme and fully satisfying the regulatory requirements.
Under UK Operational Resilience requirements, Scenario Testing aims to test the Firm’s ability to remain within impact tolerances in a range of severe but plausible disruption scenarios, focusing on recovery and response arrangements (rather than preventative measures). This should enable them to obtain assurance on the resilience of their important business services and identify where they might need to act to increase their operational resilience. Types of testing may notably include paper-based or desktop assessments, internal or external simulations, live-systems testing, penetration testing, Red Teaming, third-party assessments and technical tests.
Firms are expected to develop the sophistication of their scenario testing over time as they develop operational resilience for each important business service. Over time, firms would be expected to test against more severe but plausible scenarios, proportionate to the firm and the degree of operational resilience each important business service has.
For more details about scenario testing, you may refer to https://xcinaconsulting.com/whitepapers/operational-resilience-scenario-testing/
DORA requires in-scope firms to establish, maintain and review a sound and comprehensive digital operational resilience testing programme as part of their ICT risk-management framework. The digital operational resilience testing programme must include a range of appropriate assessments, tests, methodologies, practices and tools, such as:
- vulnerability assessments and scans
- open source analyses
- network security assessments
- gap analyses
- physical security reviews
- questionnaires and scanning software solutions
- source code reviews where feasible
- scenario-based tests
- compatibility testing
- performance testing
- end-to-end testing
- penetration testing.
Additionally, certain categories of financial entities must carry out Threat Led Penetration Testing (TLPT) at least every 3 years. TLPT is a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. The entities in scope for TLPT include:
- globally systemically important credit institutions
- payment and electronic money institutions fulfilling certain criteria
- central securities depositories
- central counterparties
- trading venues with an electronic trading system meeting certain criteria
- insurance and reinsurance undertakings fulfilling certain criteria.