Resilience is a buzzword on the up. According to Google Trends its popularity as a search term in the UK has steadily climbed since 2015 as the concept of resilience—the ability to recover and adapt in the face of adverse conditions—has taken root in our collective lexicon.
Resilience is proving a particularly tenacious concept in the area of financial services, where firms are increasingly expected to optimise their resilience in the face of operational threats. This is especially true in the digital space, where cyber attacks can pose a real threat to financial stability. It is to this end that the UK regulators have consulted on a new framework for operational resilience, PRA and FCA final rules on which are expected in Q1 2021. These would see firms setting impact tolerances (and remaining within them), and carrying out scenario stress testing, among other practical steps.
European Commission proposal on digital operational resilience
This concept of operational resilience has also picked up speed at an international level. In August 2020 the Basel Committee on Banking Supervision launched a consultation which seeks to promote a principles-based approach to improving operational resilience, taking account of lessons learnt from the pandemic. More recently, on 24 September 2020 the European Commission adopted a long-awaited legislative proposal for a regulation on digital operational resilience for the financial sector.
This proposal, which forms part of the Commission's digital finance package, will put in place a number of measures to ensure that financial firms can withstand all types of Information Communication Technologies (ICT)-related disruptions and threats. Such measures cover governance-related and ICT risk management requirements, reporting of major ICT-related incidents, digital operational resilience testing, management by financial entities of ICT third-party risk, oversight of critical ICT third-party service providers, as well as information sharing among financial entities.
In this way, the Commission's proposal is designed to consolidate and upgrade ICT risk requirements throughout the financial sector, which historically have developed in a piecemeal fashion. It covers a broad range of financial firms, from credit institutions and investment funds to trading venues and crypto-asset service providers. Crucially, it also brings within scope critical third-party service providers, which the Commission sees as introducing legal and compliance risks, as well as concentration risk. These third-party providers, which will include the increasingly ubiquitous cloud computing service providers, would for the first time be subject to continuous monitoring under a newly-established oversight framework.
Looking to the future, the European Parliament and the Council of the EU will now consider the legislative proposal. While the UK (having left the EU) will not be required to implement any resultant legislation, that legislation will no doubt inform efforts to bolster operational resilience among the UK and other neighbours of the EU, particularly as many international financial firms will need to satisfy both regimes.