In August 2018 the Financial Conduct Authority (FCA) mandated banks start publishing information relating to major operational and security incidents. According to recent BBC findings, the data published so far show that big banks experience typically one outage per month. Between April and December, major UK banks suffered more than ten shutdowns. Barclays, followed by Lloyds, have reported the highest number of incidents.
Financial services are increasingly relying on digital technology in a number of critical areas, such as payments. Interestingly, in 2018, debit cards overtook cash for the first time in the UK, in terms of total number of transactions. At the same time, a number of IT failures in the sector have raised concerns amongst regulators. Therefore, firms need to ensure that they have the appropriate systems and controls in place to identify, manage and mitigate relevant risks.
Regulatory concerns regarding IT failures
On 23 November 2018, the Treasury Select Committee launched an inquiry into IT failures in the financial services sector (Inquiry). The Inquiry will assess the ability of institutions to prevent and remedy service disruptions. Nicky Morgan MP, Chair of the Treasury Committee, highlighted that “the number of IT failures at banks and other financial institutions in recent years is astonishing” and that “millions of customers have been affected by the uncertainty and disruption caused by failures of banking IT systems”. The Inquiry will be looking at a number of issues, such as the frequency of incidents, common causes and the impact of outsourcing on operational resilience.
On 27 November 2018, the FCA published its cross-sector survey on cyber and technology resilience (Survey). The Survey involved 296 firms, covering a period between 2017-2018. The findings show that the number of incidents reported to the FCA has increased by 187% within a year. Most firms consider cyber resilience as their top concern. Moreover, the vast majority of respondent firms (80%) find it difficult to maintain a view of the information they hold as well as of the third parties they use. The Survey has identified weaknesses in key areas, such as change management and third party management.
On the same day, the Executive Director of Supervision at the FCA, Megan Butler, delivered a speech on cyber and technological resilience in UK financial services. Commenting on the fact that change management was the most frequent cause of outages, Butler said that there seems to be “a mismatch between corporate expectations and reality”. She also mentioned that although the “tech landscape is characterised by massive outsource functionality in IT”, large firms do not understand “the response and recovery plans of their third parties”.
What should firms do?
According to Megan Butler, the true test of the resilience is not necessarily the absence of incidents, but rather how well incidents are managed. A key step to enhance operational resilience is to ensure continuity of firms’ most important business services. In addition, firms should note that Principle 11 of the FCA Handbook requires them to report material cyber incidents to the FCA. However, the Survey’s findings show that firms are underreporting, which could suggest non-compliance with their regulatory obligations. Moreover, firms that are subject to the second Payment Services Directive (PSD2) should also pay due regard to their obligations under the relevant major incident reporting guidelines.