On 31st March, the Financial Conduct Authority’s (FCA) operational resilience requirements come into effect, bringing the UK into line with the EU’s DORA regulation. These new rules have been brought in to help ensure that financial firms can prevent, adapt and respond to, and recover and learn from operational disruptions, including outages and cyber attacks.
The FCA has bared its teeth in such matters in the past, issuing hefty fines over the last few years for resilience failures. In 2022, TSB Bank was fined almost £50 million for technical failures that caused customers to lose access to banking services. Such punishment could be replicated for non-compliance with these latest rules. In the longer term, failing compliance also puts a target on your back, meaning those organisations that breach compliance could face further regulatory scrutiny.
The deadline is also particularly fitting given recent service outages in the finance sector. Barclays and Lloyds have both suffered major outages in recent weeks, and a Treasury Committee report found that major banks have suffered a total of 33 days’ worth of outages in the last two years alone. These outages have a huge impact on the lives of everyday citizens, preventing many from being paid or using their cards.
Under the new FCA rules, financial services firms including banks, insurance companies and payment providers will need to adhere to impact tolerances for operational disruptions, test systems and tolerance levels regularly, self-assess resilience and mange third-party risk.
Security professionals in financial services and those at third-party suppliers will be at the forefront of these changes. Those in companies that supply banks can expect more questions about their own resilience, whilst those in financial firms will need to evaluate and define tolerances.
In an ideal world, these tolerances would be absolute zero. But that’s not a realistic goal. Today’s cybersecurity professionals are up against more tech, more complexity, more data, and more customers than ever before. Operational resilience has never been harder to achieve. And new regulations can feel like another addition to an already overloaded plate. But there are some steps that can help security professionals in the finance sector or those supplying it to reduce the burden of the FCA’s new requirements.
They need to know their environments, blending technical skills and communication to build a thorough understanding of all the elements that make up our networks. This includes asking questions of third-party suppliers to ensure the complete picture is visible. Only then can accurate risk assessments and benchmarks be set against thresholds and tolerances.
They also need to be realistic. There’s no way to protect against every eventuality, and nor do regulators expect flawless resilience. But tolerances must be achieved, and if they aren’t, security professionals need to ascertain what their current level of risk is via testing, and adjust security and resilience strategies accordingly.
They need to ensure the right tools and processes are in place to limit disruption. Recovery is just as important as discovery. If a company takes a long time to react to an incident, the impact will be felt harder. Having the skills and tools to ensure that the lights are back on as quickly as possible after a cyber attack or outage will be crucial to restricting damage and avoiding the wrath of regulators.
They need to communicate risks and impacts clearly. This is perhaps the most crucial element, as boards and regulators alike will expect to be informed about risk postures and incidents in language they understand, rather than get bogged down in cybersecurity jargon.
Ultimately, compliance is all about painting a good picture. To do so effectively requires both technical skills and softer ones like communication and stakeholder management. Skills frameworks offer a clear pathway to developing this expertise continually, helping cybersecurity professionals to ride out the regulatory storm.
