The Bank of England (BofE), the UK’s Prudential Regulation Authority (PRA), and the UK’s Financial Conduct Authority (FCA) — together known as the financial supervisory authorities — have jointly published a discussion paper (PDF) on building operational resilience into the financial sector. While cyber is a major risk, the concept is to build resilience to all risks including cyber.
Regulated firms, financial market infrastructures (FMIs), consumers, industry bodies, auditors, specialist third-party providers, professional advisors and other regulators are invited to comment on the paper by 5 October 2018. The paper notes that there is currently no global framework for resilience, and says that the authorities “will share our insights with the global regulatory community.”
While the paper does not differentiate between the types of risk to continuity, it nevertheless reflects a great deal of current thinking about cyber risk. It suggests that relevant companies should plan on the assumption that disruption will occur, as well as seeking to prevent it. Current cyber advice is that companies should assume they either are currently breached or will be breached in the future.
Consequently, the key to resilience is for the board to define “the level of disruption that could be tolerated” (CISOs call this the ‘risk appetite’); and for the risk managers (CISOs for the cyber aspect) to put in place the means to confine any disruption within those bounds. This is the thinking behind cyber advice to concentrate on incident response.
The paper takes the view that concentrating on resilience is consistent with the Bank of England’s Financial Policy Committee’s (FPC) work on cyber risk. “The FPC identifies, monitors and takes action to remove or reduce systemic risks with a view to protecting and enhancing the resilience of the UK financial system. The FPC has been considering whether testing the financial system for disruption from cyber incidents is warranted for the purpose of enhancing and maintaining UK financial stability. While the FPC has been doing this in the context of cyber, the concepts are relevant to operational resilience regardless of the specific cause of disruption.”
Indeed, the recommended process for evaluating and reducing the risk to resilience is similar to the recommended process for evaluating and reducing cyber risk.
But where the paper digresses from current cyber thinking is the view “that managing operational resilience is most effectively addressed by focusing on business services, rather than on systems and processes.” It’s a question of emphasis, and is similar in concept to the ongoing difficulties between operational technology and information technology. OT frequently prioritizes continuity over data protection. While few cyber experts believe that security can be obtained by technology alone, even fewer believe it can be obtained without it.
In the financial sector it is feasible that risk management might conclude that maintaining legacy systems is more important to operational continuity than the cyber risk to those same legacy systems; or that the introduction of new cyber security technologies might be operationally disruptive. Neil Costigan, CEO at BehavioSec, sees a danger here. “This is less about appropriate technology than practices and thinking,” he told SecurityWeek. “It does, I guess, offer solid support for CISOs to lobby their boards about the threats and expectations; but I see it as recommendations/guidelines/advice for silos.”
While current cyber thinking is that OT and IT need to merge, there is a danger that this emphasis on continuity and processes might maintain and even promote the separation. Costigan goes further, suggesting the UK might be missing an opportunity here. The paper discusses individual bank responsibility, where possibly sector resiliency is a shared responsibility.
“If you look at Sweden and Norway,” he said, “you’ll see that the banks do not operate in isolation — security is viewed as a collective responsibility.” He gives the example of BankID — a single identity system that operates across multiple financial institutions, and has been recognized as a legally binding signature in other areas.
Dan Sloshberg, director product marketing at Mimecast, suggests that concentrating on resilience will automatically include cyber issues. “WannaCry was a wakeup call and highlighted the disruptive power and scale cyber-attacks can have on our critical national infrastructure,” he says. “Organizations can also learn from the new NIS Directive. This legislation clearly signals the move away from pure protection-based cybersecurity thinking. Robust business continuity strategies have never been more important to ensure organizations can continue to operate during an attack and get back up on their feet quickly afterwards.”
Dave Ginsburg, VP of marketing at Cavirin, sees the paper as a reasonable attempt to improve resiliency in a changing world. He notes that since the London bombing threat going back to the IRA and The Troubles last century in the UK, and 9/11 in the U.S., banks in both countries have effective disaster recovery operations in place.
“However,” he told SecurityWeek, “financial interconnections and interdependencies are much more complicated than they were 17 years ago. What the UK is getting at is putting in place the mechanisms to preserve the financial ‘supply chain’ if the worst occurs due to physical or cyberattack. Everyday approaches to physical security and user training don’t necessarily address this, and one would hope that institutions in the US, if not implementing such an approach already, may use this as a template. And, it need not only apply to finance, but to the cyber posture of other critical systems such as telecommunications, transportation, electricity, and water supply, to name a few.”
“The concept of impact tolerance is core to the supervisory authorities’ thinking,” comments the paper, “and may challenge firms and FMIs to think differently. It encourages them to assume operational disruptions will occur. This means that attention can be directed towards minimizing the impact of disruption on important business services. Impact tolerance focuses firms, FMIs and the supervisory authorities on the potential vulnerabilities in business and operating models. The work they do to increase the resilience of these need not be tied to specific threats, rather an important business service should be made resilient to a wide variety of threats.”
The paper highlights an unpalatable truth for consumers: in critical industries such as the financial sector, operational continuity is more important than data protection — including PII. Concentrating resources on continuity could feasibly leave customer data more exposed to cyber-attack. Having PII stolen does not normally directly impinge on continuity, and could conceivably be considered of lesser importance (at least as far as the financial regulators are concerned).
The problem for individual firms within such critical industries is that any ensuing resilience regulations will not excuse them from existing data protection regulations. By treating resiliency as a separate issue to data protection, it merely complicates an already complicated regulatory environment.