Businesses the PRA regulates should identify severe but plausible scenarios which could lead to disruption. Part of this activity involves reviewing previous incidents and near misses within the regulated entity itself or its broader group, and those known to have taken place across the financial sector “and in other sectors and jurisdictions”.
The PRA expects regulated businesses to plan for cyber incidents that could occur regardless of whether data is in transit, in memory or at rest. Strategies therefore need to account for the role third party suppliers could play in an incident.
Where significant incidents occur and the cause is a material supplier, the regulated entity is expected to retain the right to terminate the arrangement in certain circumstances. Those circumstances include where a sub-contractor causes “extensive and unmanageable operational disruption” or where the supplier fails to deliver appropriate remediation following an incident.
The FCA’s broad rules
Many of the FCA’s requirements for incident response parallel those of the PRA and the two regulators have indicated that work undertaken to comply with the requirements of one regulator may often be leveraged to comply with those of the other. The FCA’s reporting rules, however, are broad and may cover incidents that are different from those addressed by other regulatory regimes.
According to the FCA, regulated entities are expected to report “material operational incidents”. An incident may be material if it results in a significant loss of data, the unavailability or loss of control of IT systems, affects a large number of customers, or results in unauthorised access to IT systems.
Its new operational resilience rules, which take effect in March 2022, require regulated entities to focus on the effectiveness of their communication strategies in the event of operational disruption. As part of those strategies, regulated entities are expected to consider how to provide “warnings or advice quickly to clients”, use effective communication methods to gather information about the cause, extent, and impact of operational incidents, and ensure that their choice of communication method takes account of the circumstances, needs and vulnerabilities of their clients.
US regulatory response
The US federal bank regulatory agencies are currently consulting on updated guidance for risk management in the context of third party relationships. The draft guidance that has been prepared details some of the steps to be taken in response to an incident.