Bank of England to push for enhanced operational resilience to cyber incidents at banks

The Bank of England is setting the ground for new requirements concerning firms’ resilience to cyber incidents. This becomes clear from a speech given by Lyndon Nelson, Deputy CEO of the Bank of England’s Prudential Regulation Authority (PRA).

He concedes that there has been an increase in the number of operational incidents – be they caused by internal failures or from external attack. In terms of operational outages the financial sector in the UK has had RBS in 2012 which suffered a major outage in its Irish operations and more recently, of course, TSB. In between, there have been many short-term outages.

Given the circumstances, Lyndon Nelson underlined how important it is that regulators set out their expectations of firms in respect of their operational resilience. The Financial Policy Committee, for example, has been considering its tolerance for disruption to the key economic functions that the finance sector performs, he said. As part of this work, it is likely that the FPC will set a minimum level of service provision it expects for the delivery of key economic functions in the event of a severe but plausible operational disruption. The outlining of supervisory expectations may then be used as an input to guide firms’ actions in managing their own operational resilience.

Lyndon Nelson said he expects that these tolerances will use a combination of time, volume, market share and measures of interconnectedness.

“We have also been developing a suite of supervisory tools that can be used to assess firms’ resilience against our expectations and also inform the supervisory priorities we agree with firms”. Lyndon Nelson says.

He said the Bank was also trialling some other diagnostic tools.

Mr Nelson said the work will start with a Discussion Paper – joint with the Financial Conduct Authority. Although he would not elaborate on the details of the paper, he gave his perspective on these expectations.

“I would like our firms to be on a WAR footing: withstand; absorb; recover”, says Lyndon Nelson.

Firms will be expected to set their own tolerances for key business services. These tolerances will have to be in the form of clear metrics indicating when a disruption would represent a threat to a firm, to consumers or to financial stability. The Bank expects firms to test their tolerances and demonstrate to their supervisors that they have concrete measures in place to deliver resilient services.

In addition, firms will need to clearly define and regularly test their approaches to incident management. These should also include good communication plans both internally and externally.

And firms need to be able to recover from an operational incident. This requires viable, tested contingency plans for the resumption of critical functions.

Lyndon Nelson also made some remarks on the response to cyber incidents. The UK authorities have a response protocol called the Authorities Response Framework (ARF). It consists of the Treasury, FCA and the Bank. In cases of cyber events the National Cyber Security Centre is also a member. Any member can trigger the ARF and it has three response levels: monitor, engage and manage. A few years ago the ARF was rarely triggered, Nelson said, but more recently this has been increasing. This is partially due to the lowered barrier for triggering the mechanism but also because of the greater frequency of events.