While cyber risk has taken much of the attention in the news, the UK government and regulators have been increasing their focus more generally on operational resilience and its impact on the economy
The government monitors critical national infrastructure (CNI) closely, and both finance and telecommunications are regarded as CNI. The Cabinet Office publishes a public summary of Sector Security and Resilience Plans annually. The report notes that overall the finance sector has made good progress in improving resilience to threats, and indicated that future resilience exercises will be necessary, particularly in financial services:
Over the next year, the Financial Authorities will deliver a comprehensive work programme to improve the resilience of the finance sector. We will ensure that we have the tools to deliver improved resilience, including drawing on the expertise of the National Cyber Security Centre and the Centre for the Protection of National Infrastructure.
We will help the sector improve their operational
resilience, including through exercises involving industry. We will
also continue to improve our collective incident response
capability and work closely with our international partners to
develop our understanding of evolving threats to the global
Source: Cabinet Office sector security and resilience plans (page 16)
As well as the recent focus on outsourcing, in particular the European Banking Association's (EBA's) final guidance on outsourcing agreements, there is a wider focus on concepts of business continuity and operational resilience. The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) accelerated the discussion more formally with its discussion paper (July 2018) "Building the UK Financial Sector's Operational Resilience".
This paper identified a concept of operational resilience to bring this to the attention of boards and senior executives in regulated firms. The paper concludes that vital elements of key business services are being delivered in the financial services sector by companies operating outside the regulatory perimeter, often concentrated among a few major providers. Increasingly this concentration risk includes the use of key cloud providers, including Amazon Web Services and Microsoft Azure amongst others. The report was followed by a paper from UK Finance and EY "operational risk in financial services" and a second report from the CityUK and PWC "operational resilience in Financial Services – time to act", which this note looks at in more detail.
Both of the reports require a business to address its operational risk within the context of more developed security frameworks. Whilst these are in large part driven by cyber security, the concern over a national over-dependency on a small number of viable vendors is common also.
In the telecommunications sector, a recent report (July 2019) by the Department for Digital, Culture, Media and Sport (DCMS), the UK telecoms supply chain review report (CP158), addresses similar issues around concentration risk and how in the telecommunications sector's case concentration risk in the UK is principally focused on a handful of key vendors, particularly Ericsson, Huawei and Nokia, who supply the main UK mobile operators. News around Huawei's restricted listing in relation to communications equipment supply by the US government because of fears over technology risk has been clearly documented. In financial services, the debate has continued with a joint report from TheCityUK and PwC, "Operational resilience in financial services: time to act". This report draws on similar themes in a wider discussion on operational resilience
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.