As once stated by Benjamin Franklin (and echoed by Taylor Swift in her song “Mastermind”), failing to plan means planning to fail. One of the many circumstances where this sentiment applies is financial firms fostering strong resilience practices to remain secure as cyber incidents grow in frequency and sophistication.
The financial services landscape continues to evolve thanks to trailblazing technologies, though so too does the variety of threats. A dynamic and variable market brings about the need for robust security standards, and in the case that trouble does occur, regimented cyber resilience strategies.
Tying into the need for strengthened resilience are factors like third-party risk. Without procedures established to bounce back after a breach aimed at compromising your or your service provider’s data, the door is opened to dire consequences that ripple out to not just individual firms, but clients and overall market stability.
The aftereffects of inadequate cyber resilience have been demonstrated in recent news. Per a report from the International Monetary Fund conducted in April 2024, the amount and severity of losses from cyber incidents are growing. Since 2017, the size of losses has quadrupled to $2.5 billion. This vulnerability is especially keen when it comes to the finance industry:
“Incidents in the financial sector could threaten financial and economic stability if they erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions. For example, a severe incident at a financial institution could undermine trust and, in extreme cases, lead to market selloffs or runs on banks.”
In recent resilience reports
From frameworks to enhanced concentration to examination priorities, regulators have underscored that the gravity of these cyber incidents has not slipped their notice. With the principles set out in multiple regulations, firms are expected to demonstrate persistence and diligence in cultivating vigorous cyber resilience processes. We’ve compiled five of the most significant operational resilience developments below.
- The Digital Operation Resilience Act
The Digital Operation Resilience Act (DORA) is a framework introduced by the European Supervisory Authorities the sets out direction to guard firms against harm should they fall victim to a cyber incident meant to impede business operations. This Act applies to countries that are part of the European Union (EU), as well as the U.K., as it was established pre-Brexit.
This Act was passed in November 2022, and provides firms with technical guidance on maintaining security and responding to cyber threats to protect operations and, in turn, clients. In addition, it encourages firms to refine their controls, tests, and responses when handling digital risks.
The pillars of DORA include ICT risk management, incident reporting, third-party risk management, stress testing, and intelligence sharing. Overall, these factors aim to encourage firms to utilize controls that detect and mitigate risks before they materialize, develop strategies to respond to threats, and perform internal stress tests to assess their firm’s response.
Similarly, DORA aims to measure third-party risk and ensure external providers are performing in a secure environment. Finally, firms are expected to share threat experiences with competitors if they have been targeted to prevent further risk.
- The BoE operational resilience approach
The Bank of England (BoE) defines operational resilience as the “ability of firms, and the financial sector as a whole, to absorb and adapt to shocks and disruptions,” and that beyond disaster recovery, firms should have “robust plans in place to deliver essential services.”
To achieve proper resilience, the BoE states that firms should understand essential operations that are most critical to their functionality, and should set impact tolerances that demonstrate the extent they can continue operations should a disruption occur. Upon identifying this, firms should test their ability to perform within tolerances.
In addition, the BoE published a consultation paper in December 2023 regarding operational resilience and critical third parties (CTP), particularly related to risk management that could arise should a CTP’s services be disrupted. To manage these risks, the BoE requires that CTPs submit self-assessments, an outline of resources used to support financial firms, and a copy of their incident management practices.
With firms enlisting the assistance of third-party services to optimize operations, it is essential to ensure that whatever external provider you choose is able to validate that it’s adhering to security practices and meeting standards set out by regulators.
- The CFTC Operational Resilience Framework
The Commodities and Futures Trading Commission (CFTC) approved a rule proposal in December 2023 that requires financial institutions to maintain an operational resilience framework to “identify, monitor, manage, and assess risks relating to information and technology security, third-party relationships, and emergencies or other significant disruptions to normal business operations.”
This framework is comprised of three components, which include an information technology security program, a third-party relationship program, and a disaster recovery plan. To support these components, firms are expected to meet requirements relating to governance, training, testing, and recordkeeping.
In a statement discussing this framework, Commissioner Kristin N. Johnson explained that on top of these three pillars “are corporate governance reforms that will dictate how each covered entity will incorporate the components of the plan into existing organizational structures.”
The CTFC has also had extensive discussions about cybersecurity in relation to artificial intelligence (AI), which is another fast-developing tool being adopted by firms that accounts for a significant amount of cyber risk. Similar to the way in which it is tackling AI, the CFTC has recognized that there is no “one size fits all” approach to cyber resilience, and that it is important to account for a range of factors, such as business sizes and risk profiles.
- OCC’s concentration on cyber resilience
In March 2024, the U.S. Office of the Comptroller of the Currency (OCC) announced that it is focusing on baseline operational resilience requirements for large banks with critical operations. Acting Comptroller of the Currency Michael J. Hsu said that as part of these requirements, firms are expected to establish definitions for identifying critical activities, define tolerances for disruption, require testing and validation of resilience capabilities, incorporate third-party risk expectations, and stipulate clear communications with stakeholders and counterparties.
In addition to this, Hsu advised firms to consider that they have good planning measures, are making prudent investments, creating well-designed systems, and performing regular testing.
Hsu mentioned that these baseline requirements are only the beginning, and that, as the ability for disruptions magnifies, the OCC is “assessing and working with our interagency peers to develop the right approach here in the U.S.”
- SEC and ECB make operational resilience an examination priority
Both the Securities and Exchange Commission (SEC) and European Central Bank (ECB) have outlined operational resilience as risk areas in their Examination Priorities for the coming year, stating that they expect firms to build out their strategies and governance.
The ECB stated that, while progress is being made, institutions need to “strengthen and, where needed, adjust their operational resilience frameworks to mitigate potential risks.” Similarly, the SEC persists in its attention on cyber resilience. The U.S. regulator listed the matter as a focus area in 2023 and, in its 2024 Priorities, outlined the aspects of operational resilience it will narrow focus on:
“The Division will focus on registrants’ policies and procedures, internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks.”
Outside of outlined frameworks, we’ve also seen regulators like the ECB approach this topic by announcing simulated stress tests to measure firms’ ability to defend against cyber breaches and restore normal operations. Will these tests hint at pending, more involved assessments that prompt firms to prove their commitment to the cause? Watch this space.
Risk, resiliency, recovery
Were a cyber incident to occur, does your firm have steps established to maintain stability and manage critical business functions as normal? Do you perform tests to gauge your firm’s reaction and have clear oversight of what tactics would be most effective against risk? Does your organization have a clear recovery plan in place should a worst-case scenario occur?
As cyber resilience frameworks and regulations develop, now is the time to assess your firm’s preparedness and how to remain as safeguarded as possible in that case that an incident occurs. The financial sphere is evolving quickly, and cyber risks and threats alongside it – firms need to ensure their policies and preparedness are doing the same.
