Banking on resilience: Bank of England proposes new rules for financial sector cyber resilience | CNC Group

In April this year, the Bank of England (the Bank) shared a series of proposals focusing on outsourcing and managing third party risk within financial market infrastructure firms (MFIs).

It follows the publication of its operational resilience policy last year, “designed to improve the operational resilience of MFIs and protect the entire financial sector”. It was noted that a major priority for the Bank, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) was to create a strong regulatory framework to “promote operational resilience” among MFIs.

Overall, this demonstrates the Bank’s continued commitment to building the operational resilience of financial service providers, given the increased reliance on third-party technology and software.

The Bank concludes in its guidelines that this reliance, particularly for cloud services, reinforces the risk landscape and requires a clear regulatory response.

The proposals therefore aim to:

  • Facilitate greater resilience and the adoption of new technologies, as outlined in its report on the future of finance
  • Define expectations and requirements for outsourcing and third party risk management in MFIs
  • Sit alongside Bank Surveillance Statements (SS2/21) on MFI Operational Resilience

Under the proposed new rules, firms – central counterparties (CCPs), central securities depositories (CSDs), recognized payment system operators (RPSOs) and specified service providers (SSPs) – would be required to develop, maintain and test business continuity plans and exit strategies for critical business services provided or supported by third parties. The new regulatory advice includes active consideration of measures that can ensure continuity of service after an interruption or a stressful outing.

Of particular note in the guidelines is how the Bank emphasizes the importance of contractual and escrow agreements between the client and third-party providers. Software escrow agreements are one of the most effective, proportionate, and cost-effective measures to manage third-party technology risks with cloud, software, and technology providers. By providing a minimum level of resilience through legal and technical means, it ensures business continuity while a service is restored or alternative options are implemented.

Leading NCC Group’s response to the Bank’s proposals, Wayne Scott, Head of Regulatory Compliance Solutions at NCC Group, shared:

“The Bank of England is to be applauded for its continued leadership in setting high outsourcing standards for the financial services industry. As it finalizes its prudential pronouncements and takes further steps to strengthen the resilience of institutions, in the context of a rapidly changing risk landscape, it needs to focus on three areas.

“The first is to ensure that clear ‘resilience by design’ measures are built into and encouraged in its guidelines. Cyber-resilience, to the extent possible, must be integrated into the services, software and technologies in question, in order to minimize and manage risks as well as possible. The Bank can play a crucial role in promoting this approach within the industry and help promote the virtues of software escrow to other UK regulators who are currently reviewing their operational resilience regulations.

“Any guidance on outsourcing and third-party risk management should also uphold the power of information sharing. Greater information sharing could improve a shared and contextualized understanding of concentration risk. This is essential, given that the threats that all organizations face – not just financial ones – continually evolve in complexity, volume, source and severity.

“Finally, the Bank must consider its position on the world stage. There is a global movement towards true operational resilience – take the example of Singapore’s Parliament granting new powers to help its Monetary Authority enforce risk management earlier this year. The Bank helps set standards internationally and has an important role to play in developing and promoting consistent best practices within operational resilience guidelines, globally.

[View source.]

Leave a Comment