By Dominic Wordsworth, Senior Technology Consultant, CBG
As I get to thinking about what the next year could bring, I can’t help but feel that we are coming into a period of regulation which will start to inform the decision-making process. The term ‘Operational Resilience’ (OR) is one I heard a good few times, because I think, Cyber will feature front and centre as a key component in protecting critical business services.
In the Summer of last year, the Bank of England, Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) published a joint discussion paper on an approach to improve the operational resilience of firms in the financial sector (FMIs). Whilst only a discussion paper at this stage, it explicitly references extending existing legislation and is definitely an indication of the direction of travel.
Similarly, in May of 2018, the Network and Information Systems Regulations 2018 were also passed into Law. Affecting operators of essential services, it highlights the central importance of Cyber in delivering OR.
As I read it, both have a common central premise – ensuring that in the event of a significant cyber attack, the country is able to maintain enough of its critical services so as to not cripple our economy. It’s about keeping the power on, cash flowing through the system and water flowing to taps, enough to keep the country on its feet as the country recovers.
Over certain threshold requirements, organisations across the Financial Sector, and from Utilities through to Healthcare will need to start thinking about the part that Cyber will play in building Operational Resilience at the heart of the strategy. The FCA approach in my view is pragmatic – prevent, adapt and respond to, recover and learn from, operational disruption. In other words:
· Protect what you can
· Accept that you will be breached
· Ensure multiple highly available processes support the Business Service
All of this is good practice even for organisations outside of legislative cover – I’ve lost count of how many times in the last year a bank has been in the news for service outages due to one thing or another – this kind of reputational damage affects everyone. Oversight from the NCSE in the case of NIS will bring with it a common, joined up strategy for success
In reality though, there is certainly complexity ahead. Notwithstanding the efforts to audit and understand current capability, managing rapidly changing environments will not be easy. Couple that with an increasing skills shortage and the constant battle to try and deliver more at less cost means running the risk that organisations may fall short in their obligations either to regulators, customers or both.
Over the coming weeks I’ll be reviewing some new technology and services I’m working on, with a view to seeing if there is the potential to transform innovation from being a barrier to Operational Resilience to being an accelerator. More to follow…
Find out more about our Cyber Services
// Related Articles – Cyber Security Beyond 2019