In focus

  • With policy work largely complete, firms need to focus on the implementation of operational resilience requirements, with supervisors set to be on the lookout for tangible evidence of progress in building resilience.
  • The Digital Operational Resilience Act’s (DORA) January 2025 implementation deadline requires EU firms to make rapid progress in 2023 across new IT risk management, reporting, testing and third-party (TP) risk management requirements.
  • The volatile geopolitical environment may lead to heightened risk of cyberattacks, and supervisors will push systemically important firms to take additional measures to counter this.
  • Regulators are designing critical third-party (CTP) oversight frameworks but firms will still have to address vulnerabilities stemming from their own TP exposures.

UK operational resilience framework

The transition period for the UK’s operational resilience frameworks will soon enter its second year and UK-based firms need to demonstrate that they are making measurable progress towards assessing the resilience of their important business services (IBS) and taking remedial action where necessary. Key to this is a firm’s capability to map the systems and vulnerabilities associated with each IBS and to develop testing methods based on “severe but plausible” scenarios. Supervisors expect a less theoretical approach to testing, with scenarios covering events such as data integrity being compromised and disruptions resulting from CTP failures.

Supervisors will also look for evidence that firms are investing in their resilience and embedding it into their routine activities. In this context, firms should explore how they can leverage the alignment of capabilities between operational resilience, TP risk management, and financial resilience functions. Finally, UK regulators are expected to consult on targeted initiatives in 2023, such as an operational incident reporting framework, which will put further pressure on firms’ compliance responsibilities.

EU DORA

The clock is also now ticking down on the 24-month implementation period for the EU’s DORA Regulation, and work will need to begin in 2023 to meet the January 2025 compliance deadline. While the DORA’s ICT risk management requirements are similar to existing European Supervisory Authorities guidelines and will allow firms to leverage their previous work, some of the DORA’s requirements are more prescriptive. For example, firms need to articulate tolerances for disruption linked to their critical or important functions (CIFs) and to carry out concentration risk assessments of their TP exposures.

Figure 1: Number of publicly disclosed global cyber attacks over time1

Source: Financial Stability Review, European Central Bank, November 2022

The DORA’s incident reporting and cyber threat notification rules could become significant compliance challenges, and therefore the technical details from the regulatory technical standards (RTS) that are due to be consulted on in H2 of 2023 will be important. Firms should equally pay close attention to resilience testing RTSs, particularly if they do not currently carry out a threat led penetration testing programme but are at risk of being considered sufficiently significant under the forthcoming technical standards and thereby being scoped into the “advanced testing” requirement.

Running in parallel to the DORA implementation, EU supervisors, such as the European Central Bank, will continue to expand their capabilities in cyber and IT risk and carry out further targeted investigations into firms’ cyber resilience in 2023. For any domestically significant firms or larger, these may be substantial exercises that will require an organisation-wide response. The regulatory expectation around the close involvement of senior management and the Board will put even greater pressure on firms to build knowledge of cyber, IT risk, and operational resilience issues among senior leadership.

Oversight of CTPs

Regulators in 2023 will increasingly look at the sectoral resilience of financial services (FS) more broadly, particularly in relation to CTPs.

The DORA’s CTP regime introduces the world’s first oversight framework for CTPs. UK regulators have also followed suit with a discussion paper in July 2022 and a subsequent consultation paper is due in 2023. Key issues for the UK this year will be around setting a standard for the resilience of CTPs and the possibilities for promoting international alignment. Some cross-jurisdictional differences are already visible, with the UK focusing on the oversight of significant services only and the EU opting for a broader definition.

Firms should consider which of their providers may be designated as CTPs and identify concentration risks that may attract further supervisory scrutiny. The development of CTP oversight frameworks will not replace firms’ responsibility to conduct TP risk management or manage the operational resilience vulnerabilities associated with TP exposures; something that is emerging as the most challenging area in building operational resilience. To meet supervisory expectations, firms must develop exit strategies and business continuity plans for their TP exposures, including substitute delivery methods and systems where needed.

Enhancing FS cyber resilience

Regulators will also make progress on related initiatives that target the cyber resilience of the technology ecosystem that FS firms operate in. The EU’s recently proposed Cyber Resilience Act (CRA) may be agreed by the end of 2023. The CRA is expected to include the FS sector in its scope, compelling firms to provide more information and to comply with a set of standards on the cybersecurity of the digital products they develop in house.

Actions for firms

Implementing operational resilience

  • Embed operational resilience within operating models and turn it into a key driving factor for Board and senior management decision making.
  • To do this, firms need to focus on building the resilience of their IBSs/CIFs by understanding the assets and processes that support their delivery, identifying key interconnections and vulnerabilities, and developing performance indicators to detect threats/incidents.
  • In many cases, firms should consider the adoption of integrated tools to manage the operational resilience implementation process.

TP risk management

  • Work with TPs to ensure reciprocal alignment on key aspects of operational resilience, such as IBSs/CIFs and impact tolerances.
  • Develop the ability to assess TP concentration risk and take mitigating action where necessary. Large firms may even have to explore TP multi-vendor strategies if resilience vulnerabilities to sole providers cannot be sufficiently addressed.
  • Negotiate mandatory contractual clauses with TPs as required by the DORA (for EU firms in particular).

Convergence with other policies/frameworks

  • Leverage existing capabilities to meet the policy outcomes required by regulators.
  • For instance, integrating crisis communications planning across operational resilience and business continuity, or leveraging elements of scenario testing done for the operational risk component of the Internal Capital Adequacy Assessment Process or Own Risk and Solvency Assessment to support operational resilience testing.

Financial Markets Regulatory Outlook 2023

Explore the chapters

Endnotes

1 ECB, Financial Stability Review, November 2022