Global menu

Our global pages

Close

It's the final countdown to operational resilience (or is it?)

  • United Kingdom
  • Financial services and markets regulation
  • Financial services disputes and investigations
  • Outsourcing and offshoring
  • Privacy, data protection and cybersecurity
  • Financial services

31-03-2022

As we reach the first operational resilience deadline set by the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) of 31 March 2022, many regulated firms are likely to be in a position where they have identified their important business services, set their impact tolerances, and conducted mapping and scenario testing to the requisite level of sophistication.  From this perspective, they may consider that the job is done.

However, firms would be wise not to rest on their laurels.  If COVID-19 was the first real test of operational resilience, the recent invasion of Ukraine by Russia looks set to be the next.  Whilst the National Cyber Security Centre (NCSC) has recently stated that is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been a historical pattern of cyber-attacks against Ukraine with international consequences.  Further, in the heightened cyber warfare environment in which we currently find ourselves, there is a very serious risk of Russian based-criminal attacks on financial markets.  Cognisant of this, the FCA recently posted guidance on operational resilience in the context of Russia’s war against Ukraine.

Front and centre of this was the need for firms to consider their ability, and that of third-party providers, to withstand a cyber-attack.  The FCA cautioned firms that: “You should take all appropriate steps to shore up your controls, including raising staff awareness: that may, for example, include re-running staff ethical phishing campaigns. Consider if your staffing levels are appropriate to deal with an elevated cyber risk.”

A number of points arise from this warning:

  1. that the greatest cyber vulnerabilities often arise by virtue of outsourcing
  2. that people can often be a chink in a firm’s armour against cyberattacks
  3. that people can also be a firm’s greatest defence, when they work together effectively to assess risk on a holistic basis

We explore each of these themes in more detail below.

Cybersecurity risk in the context of outsourced arrangements

Some of the biggest operational incidents experienced in recent times have occurred via outsourced arrangements, where sensitive information has been compromised by the attacker gaining access through a third party service provider.  In this regard, it is worth noting that intragroup arrangements are equally as significant as external outsourced arrangements and require similar consideration when assessing the risks described in the note.

One of the reasons for this heightened risk exposure is the technological complexity associated with outsourced arrangements.  Each service provider will have its own IT infrastructure and associated cyber controls (patching processes, access controls, anti-virus software, firewall rules etc).  Understanding and evaluating third party systems and controls on a real-time basis can be a challenging exercise, particularly in circumstances where: 1) outsourced arrangements involve sub-outsourcing to fourth or fifth party providers; and/or 2) there is a power imbalance between large unregulated third party service providers and the regulated firm(s) that they service.

We recently submitted a ‘Right to Know request’ to the FCA under the Freedom of Information Act 2000 (FOIA).  This revealed that:

  • 815 operational incidents were reported to the FCA during 2021.  Of these, 137 incidents related to outsourced services
  • in the period to 15 February 2022, 66 operational incidents were reported to the FCA.  Of these, 10 incidents were linked to a third party failure

Whilst we cannot extrapolate from the data that such incidents were all cyber-related, the fact that 16% of incidents in 2021, and 12% of incidents so far in 2022, related to third party failures evidences that this remains a key risk area for firms to manage.

Cyber-attacks and ransomware

As noted above, in its guidance the FCA was keen to stress the importance of staff awareness, specifically suggesting that firms re-run ethical phishing campaigns.  This is unsurprising given that our FOIA revealed that:

  • of the 815 incidents reported to the FCA in 2021, 76 were identified as cyber-attacks and 25 of those related to ransomware
  • of the 66 incidents reported to the FCA to 15 February 2022, two incidents were recorded as relating to a cyber-attack, of which one related to ransomware

This means that a third of cyber-attacks in 2021 and a half of cyber-attacks so far in 2022 have involved ransomware.  One of the most common ways in which ransomware is deployed is through phishing emails, in which a cyber criminal sends malware or malicious links in a message that, when clicked on, installs the ransomware.  Once the ransomware is deployed, the attacker can prevent the firm from accessing its systems and/or data until a ransom is paid.  This presents the firm with an array of issues, from business continuity challenges to financial crime concerns, including money laundering and sanctions.  We recently published a short article discussing criminal law considerations for ransomware attacks from a UK and US perspective.

Phishing attacks had already increased during the pandemic, with bad actors seeking to take advantage of the near wholesale shift to home working.  It is likely that this pattern will continue, as we settle into hybrid working routines but now with the increased risk of politically motivated attacks.  Whilst there is little that firms can do to influence the threat level resulting from geopolitical tensions, firms can reduce their vulnerability to a ransomware attack.  The easiest way to do this is to ensure that staff are trained in how to spot phishing emails and report these, and that the firm has a process in place to deal with any reported phishing emails. 

Resourcing in the context of an elevated cyber-risk

In its recently issued guidance, the FCA advised that firms should consider if their staffing levels are appropriate to deal with an elevated cyber risk.  However, this is not simply a case of ensuring that the IT team is adequately resourced.  Cyber is a business-wide risk and must be managed accordingly.

One of the pitfalls when it comes to larger organisations, in particular, is that the default is to operate in siloes.  This hinders efforts to undertake a holistic assessment of cyber risk.  What we are seeing in practice is that, whilst most firms have put impressive self-assessment documents in place, setting out their identified business services and impact tolerances, execution is proving more problematic.  This is because of an inability to join the dots between various disparate parts of the organisation, which do not communicate effectively with each other on matters relating to operational resilience.

Cyber risk needs to be managed from the top down, starting with the Board of Directors.  All Board members (and not just the Chief Information Security Officer) need to be cyber literate, understand the cyber risks that the firm is exposed to and monitor the performance of controls that are in place to mitigate this risk. The self-assessment document required under the operational resilience requirements goes some way towards this.

However, it does not stop there.  Responsibility for cyber risk needs to cascade downwards and Heads of Business (i.e. those on the front line of important business services) need to ensure that they have a sufficiently full understanding of each of the elements that go into that service, comprising: people, processes, information and technology.  Only once they have this, will they be able to assess whether their teams are adequately resourced.

At the very bottom level, each employee need to understand the cyber risks attached to their role and their responsibility for managing cyber risk.  As the old adage goes, you’re only as strong as your weakest link.

Finally, it is worth bearing in mind that, for regulated firms, it is par for the course to undertake accountability reviews where significant incidents occur.  In doing so, it may be necessary to evaluate minor incidents that were a precursor to the major incident, and the steps taken in response.  Firms should therefore ensure that they aggregate lessons learned from micro-incidents in order to understand their overall risk profile and implement any mitigating controls, as appropriate, including increases to headcount where necessary.