Deloitte comments on BoE and FCA financial sector operational and cyber resilience discussion paper

The Bank of England (BoE) and Financial Conduct Authority (FCA) have today released a discussion paper on their plans to develop a comprehensive approach to supervising the UK financial sector’s operational and cyber resilience. David Strachan, partner and head of Deloitte’s EMEA Centre for Regulatory Strategy, provides initial thoughts on impact tolerance, data recovery and what firms need to do next.

On impact tolerance, Strachan says:
“Impact tolerance is an important aspect of this discussion paper and, in essence, is a set of metrics describing how firms should recover from operational disruption to important business services. It brings a new level of sophistication to the familiar area of operational resilience, reflecting the growing complexity of the operational disruption scenarios to which banks and other firms are now vulnerable.

“Focusing on this impact tolerance rather than, say, a single downtime target for critical systems, is a powerful concept that has the potential to accelerate thinking on how to recover from serious operational disruptions. It is unlikely to be easy to implement and all parties may ultimately need to distinguish between recovery from a severe attack and dealing with the consequences of a near-extinction event.”

On data recovery, Strachan adds:
“We see in the approach that data is now potentially up there with capital and liquidity as one of the most critical resources for a firm. How quickly data can be recovered will be key to how fast – and if at all – a firm can continue to operate.”

On what firms need to do, Strachan comments:
“Some firms will already be doing elements of this work across their business, but not necessarily by design. Governance is key, and the discussion paper underscores how boards will need to take greater responsibility for operational resilience in their firms.

“Firms will need to skew their priorities for investment towards mitigating the overall impact of a disruption on their key business services. The more customers, the more primary current accounts, and the closer the disruption to end-of-day, the more important to regulators.”

End

Notes to editors

About Deloitte
In this press release references to “Deloitte” are references to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”) a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see deloitte.com/about for a detailed description of the legal structure of DTTL and its member firms.

Deloitte LLP is a subsidiary of Deloitte NWE LLP, which is a member firm of DTTL, and is among the UK's leading professional services firms.

The information contained in this press release is correct at the time of going to press.

For more information, please visit www.deloitte.co.uk

Member of Deloitte Touche Tohmatsu Limited