Building Operational Resilience

A presentation at fscom webinar in May 2020 in by Simon Whittaker

Slide 1

Slide 1

Preparing for an IT Audit 2020

Slide 2

Slide 2

  1. Strange Times 2. Operational Resilience 3. Steps to take 4. Other Issues 5. The future

Slide 3

Slide 3

Simon Whittaker The majority of my work involves working with companies to perform penetration & security testing, test and improve secure coding practices and provide security consultancy to companies that are keen to improve their processes & procedures simon.whittaker@fscom.co.uk

Slide 4

Slide 4

1 Strange Times

Slide 5

Slide 5

‘Disruptive events can have a high impact on consumers and businesses so firms and FMIs need to know where the risks to their service delivery lie and to make sure that they are prepared for any service disruption by testing their planned response.’ Andrew Bailey, FCA Chief Executive

Slide 6

Slide 6

Offices – remember them?

Slide 7

Slide 7

The New World

Slide 8

Slide 8

Over the coming months, everyday life will be disrupted in ways that will cause severe financial difficulties for many thousands of businesses, families, and individuals. • Our main priorities are • To ensure that financial services businesses give people the support they need • That people don’t fall for scams • Financial services businesses and markets know what we expect of them. Our proposals make it clear that we expect firms and Financial Market Infrastructures (FMIs) to take ownership of their operational resilience and to prioritise plans and investments based on their public interest impact. https://www.fca.org.uk/publication/consultation/cp19-32.pdf

Slide 9

Slide 9

Slide 10

Slide 10

2 Operational Resilience

Slide 11

Slide 11

Building operational resilience: impact tolerances for important business services • Identify their important business services that if disrupted could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system • Set impact tolerances for each important business service, which would quantify the maximum tolerable level of disruption they would tolerate • Identify and document the people, processes, technology, facilities and information that support their important business services • Take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios Press Releases Published: 05/12/2019 Last updated: 31/03/2020 https://www.fca.org.uk/news/press-releases/building-operationalresilience-impact-tolerances-important-business-services

Slide 12

Slide 12

3 Steps to take

Slide 13

Slide 13

What services are important? identify their important business services that if disrupted could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system

Slide 14

Slide 14

What is your tolerance for failure? Set impact tolerances for each important business service, which would quantify the maximum tolerable level of disruption they would tolerate

Slide 15

Slide 15

People, processes & tech Identify and document the people, processes, technology, facilities and information that support their important business services

Slide 16

Slide 16

Actions to keep going Take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios

Slide 17

Slide 17

EBA Guidelines for Cyber Security • • • • • • Information Security Policy Logical Security Physical Security ICT Operations Security Information Security reviews and testing Information Security training and awareness

Slide 18

Slide 18

4 Other Issues

Slide 19

Slide 19

Staff “Relying on developing an effective technical control environment alone may not deliver the best results. It needs to be accompanied by positive steps to increase staff awareness and understanding, such as providing training and engaging with high-risk personnel.”

Slide 20

Slide 20

Suppliers FCA have said that 17% of the incidents firms reported to them were caused by IT failure at a third-party supplier – the second highest root cause of disruption to services

Slide 21

Slide 21

5 The future

Slide 22

Slide 22

Documentation & Risk • • • • • You can’t outsource risk Ownership – not just signing off Practical Measures Suppliers Ask questions & challenge

Slide 23

Slide 23

? Questions?