The Bank of England’s financial policy committee recently underlined the importance of cyber stress testing when assessing the operational resilience of financial services. This was in anticipation of the PRA’s policy statement on operational resilience in the financial sector which came out on Monday 29 March.
The PRA’s policy statement focuses specifically on the financial sector’s impact tolerances with regard to critical business services, giving institutions a year to identify key business services and their level of resilience. Disruption to the payment system, for example, would have a catastrophic effect in short order. Given the sector’s dependence on digital technology the Bank’s focus on cyber is wise. The Bank devised C-Best to stress test the major banks’ cyber resilience but, with the PRA policy statement’s focus on identifying third party vulnerability and given recent software supply chain breaches, it makes sense to extend further understanding of the sectors resilience. This is likely to present significant challenges to many financial institutions who will not have the capability of the major bank and who are particularly reliant on third party provision of technical services.
Understanding vulnerabilities in the supply chain is never easy. It requires a clear understanding of risk as well as the ability to monitor suppliers in order to ensure appropriate standards are met and to pick up security concerns as early as possible.
You can view the full report here