The FCA released their 2020 Sector Review which provides an insight into their focus areas and the decisions they will be making in 2020/2021 to protect consumers, market integrity and competition.
As a Cyber Resilience professional, there were a number of statements that brought me to conclude the Financial Services ecosystem must make step changes in the way cyber and operational disruptions are managed. With a 7% increase in technology outages between 2018 and 2019 and the rise of sophisticated cyber-attacks, financial services firms can no longer have a reactive approach to Cyber Security and Operational Resilience if they are to survive. Having followed the FCA’s programme aimed at tackling operational resilience in the sector, I believe 2020 will be a key year for such measures to materialise and be heavily enforced.
The past few years have thrown challenging situations at the financial services sector – the rise of digital start up’s, changing customer expectations, and increased uncertainty in global markets. This year, with the continuing challenge of low interest rates (and with further erosion expected such as those seen in the US by 0.5%) and firms prone to take higher business risks, operational efficiency and resilience is key to profitability i.e. the financial and reputational impact of operational disruptions need to be reduced if the organisation is to survive these extreme conditions.
For example, the financial impact of disruptions such as the TSB outage in 2018, the Travelex cyber-attack in January 2020 are examples the financial services industry must learn from. Balancing this risk will be a challenge for those organisations with legacy technology infrastructures, new entrants to the market, ill-managed third parties and disjointed operational resilience capabilities. I’ll be exploring each of these topics further in the next few weeks.
But first, let’s start with the elephant in the room, the Corona Virus, which has thrown a curve ball into the mix around operational resilience. Or has it? Should organisations already be prepared for this and be putting into action their contingency plans? Pandemic, Influenza has been the top risk on the UK’s National Risk Register* for over 10 years and financial services organisations are mandated to have contingency plans in place for a such a scenario to minimise the impact to their business and the ecosystem as a whole.
Mature organisations will be reviewing the lessons learnt from any pandemic scenario exercises conducted in the last year, assuring board members and regulators that they are prepared and gaining assurance from critical third parties that they too have business continuity plans in place.
Social distancing and basic hygiene have been encouraged by health organisations and government departments so far, however, businesses should be preparing for more extreme measures as the UK starts to prepare for the contagion to increase.
Questions security and operational teams should be asking themselves during this pandemic include:
- Should technology teams impose a change freeze?
- Have remote working technologies been stress tested to allow for all employees to connect and continue working or will this need to be prioritised?
- Can you still continue to serve customers through the channels they have been accustomed to? Or will the business need to adapt and change?
- If the business model does need to adapt and change what does this mean in the short/medium term? And how will this be managed in the long term?
- Will this pandemic enable the challengers to steal a march on their more mature competitors due to being more agile, less risk averse?
The next few weeks will be interesting as we witness the full scale of Corona Virus and how it impacts business activities across the globe. For cyber security and operational resilience teams it is to time make sure you have the right people, processes and systems in place in order to cope and come out just as strong when this virus outbreak subsides.
*A worldwide outbreak of influenza occurs when a novel flu virus emerges with sustained human to human transmission. Up to 50% of the population may experience symptoms, which could lead to up to 750,000 fatalities in total in the UK. Absenteeism would be significant and could reach 20% for 2-3 weeks at the height of the pandemic, either because people are personally ill or caring for someone who is ill, causing significant impact on business continuity.
National Risk Register, Cabinet Office
This blog post was written by Rakhee Porter – UK Cyber Resilience Lead at Sopra Steria. For more information about the work Rakhee is involved with across retail, transport, travel, and financial services please email PSComms@soprasteria.com .