Introduction
The growth of digital financial transactions, the complexity and interconnectedness of underlying infrastructure and technology, and increasing concentration risk have led to new regulations.
As with all new regulations, the full impact and cost are yet to be fully understood.
This paper provides a high-level overview of two pieces of regulation affecting entities operating within the EU and UK financial markets. It summarises the implications of the regulations and their immediate impact on third parties in a chain of vendors that contribute to important business services.
It concludes that 3rd Party vendors and services considered material in the delivery of important business services will fall within the reach of the new regulation.
Background
Regulations exist across all the major financial markets to address the risks arising from operational disruptions. These regulations call for regimes that identify, measure, report and mitigate the risks.
More recently, regulators in the EU and the UK have taken additional steps to address gaps in the existing regulation and the overreliance on quantitative measures. More specifically, they are reacting to the development and risks arising out of the digital financial instruments, compounded by the interconnectedness of financial markets.
“...the interconnectedness of the financial system and the complex and dynamic environment in which firms operate.”
Supervisory Statement SS1/21
The EU has developed a regulatory framework known by its acronym ‘DORA’ – The Digital Operational Resilience Act. This framework explicitly targets digital resilience.
The PRA’s Supervisory Statement SS1/21 – Operational resilience: Impact tolerances for important business services extends beyond the digital markets, addressing the management of operational risks, including those related to technology and information systems, complemented by SS2/21 Outsourcing and Third Party risk management.
Implication
Both the EU and the PRA align with the Financial Stability Board’s principles of operational resilience (https://www.fsb.org/2021/03/principles-for-operational-resilience/). Both set 2025 (January and March, respectively) for compliance, and both introduce enhanced 3rd party risk management requirements that draw material or critical service providers into the regulatory net.
“..the PRA expects firms to assess the materiality and risks of all third party arrangements irrespective of whether they fall within the definition of outsourcing.”
Supervisory Statement | SS2/21 Outsourcing and third party risk management March 2021
The implication for firms considered as either material or critical providers of services is meaningful. They will need to demonstrate that they are fit for purpose, meeting enhanced ‘regulatory’ standards regarding their governance, risk identification, measurement, control and remediation frameworks.
“The PRA therefore expects firms that are parties to these arrangements, either as service providers or service recipients, to leverage applicable, existing regulatory requirements to manage relevant risks and promote an appropriate level of resilience.”
Supervisory Statement|SS2/21 Outsourcing and third party risk management March 2021
Impact
The regulations are intended to be proportionate and principle-based, providing regulated entities a degree of flexibility in interpretation and approach to compliance. However, it also means that 3rd Party providers will have to solve for the highest standards to satisfy all their clients’ interpretations.
The immediate impact will be on the investment required to design and implement or enhance the governance, risk management and control frameworks required to meet a regulated entity’s onboarding requirements.
The depth and extent of any due diligence (DD) undertaken to satisfy the regulatory requirements will reflect the materiality of the service or product provided. In most cases, the DD will address:
Business model
Complexity, financial situation, ownership structure, scale
Capability, expertise, and reputation
Financial, human, and technology resources
Key Person Risk
ICT controls and security
Testing and assessment of tertiary vendors, platforms or products used
Relevant authorisations or registrations
Compliance with relevant legal and regulatory requirements (GDPR, Data Protection Act)
Adherence to recognised and applicable industry standards
The DD will require access to documented evidence to satisfy its requirements. It cannot rely on track record or other anecdotal evidence such as industry standing or reputation. It must satisfy itself that the 3rd Party can demonstrate its ability to prevent, withstand and recover from operational disruptions.
Furthermore, 3rd Parties will need to invest in cybersecurity standards that are at least equivalent to the additional measures imposed by regulation, including incident response plans and participating in periodic assessments.
What to consider:
Preparedness to meet the standards of operational resilience for onboarding by a regulated entity
Due diligence procedures and standards for assessing the operational resilience of their own 3rd Party vendors and platforms that form part of the same chain
The quality and nature of the documented evidence of operational resilience
What's important:
To demonstrate an understanding of the new requirements and industry standards
To demonstrate maturity through the quality and readiness of the materials used to evidence operational resilience
Governing Operational Resilience Regulation
Digital Operational Resilience Act (DORA) – Summary
Objective:
To harmonise, consolidate and upgrade ICT risk requirements, comprehensively addressing all components of operational resilience, introducing targeted qualitative rules for “the protection, detection, containment, recovery and repair capabilities against ICT-related incidents, or for reporting and digital testing capabilities.”
Substance:
Explicitly addresses ICT risk-management capabilities, incident reporting, operational resilience testing and ICT third-party risk monitoring.
Summary:
ICT risk management
Internal governance, control frameworks, policies and procedures
Documented ICT risk management framework
Identified, classified, and documented inventory of all ICT-supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies concerning ICT risk
Continuous monitoring and control of the security and functioning of ICT systems and tools
Systems/mechanisms/processes to promptly detect anomalous activities
Response and recovery procedures and business continuity policies
Crisis communication and disclosure plans of major ICT-related incidents or vulnerabilities to clients, counterparties and the public.
ICT-related incident management, classification and reporting
Processes to detect, manage and notify ICT-related incidents
Processes to classify ICT-related incidents and cyber threats
Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Harmonisation of reporting content and templates
Centralisation of reporting of major ICT-related incidents
Digital operational resilience testing
Requirements for the performance of digital operational resilience testing
Advanced testing of ICT tools, systems and processes based on threat-led penetration testing (TLPT)
Requirements for testers to carry out TLPT
ICT third-party risk management
Assessment of ICT concentration risk at entity level
Designation of critical ICT 3rd party service providers
Requirements to assess and regularly review 3rd party service providers
SS1/21 Operational Resilience – Summary
Objective:
To improve the resilience of firms and the wider financial market to operational disruptions.
Substance:
It introduces requirements and standards for identifying essential business services, mapping material business processes and systems, setting impact tolerances, and establishing effective governance and testing frameworks.
Summary:
Identification and Mapping of Business Services
Identify important business services, defined as services which, if disrupted, could pose a risk to the firm’s safety and soundness
Assess, understand and document the necessary people, processes, technology and 3rd parties required to deliver these important business services
Impact Tolerances
Set the maximum tolerable level of disruption to an important business service, measured by the length of time and “other relevant metrics”
Take into account the impact of the failure of connected business services
Apply to recovery and resolution planning
Set by taking into account peak and normal times (a comprehensive cycle)
Implement effective remediation plans for important business services breaching tolerance thresholds
Scenario Testing and Mapping
Regularly test the ability to remain within impact tolerance thresholds in severe but plausible disruption scenarios
Incorporate the entire chain of activities supporting the important business service in the testing plan
Obtain assurances and contractual commitments from 3rd parties to implement and test business contingency plans and to support the testing of the plans
Map the interdependencies of systems, processes, and 3rd parties to identify and document vulnerabilities
Incident Response and Recovery Planning
Establish and document response and recovery plans
Detail responses to disruptions and mitigations to remain within impact tolerance thresholds
Test recovery plans for both availability and integrity scenarios
Collaboration with 3rd Parties
Requirements to collaborate effectively with 3rd parties to manage operational resilience
Assess the operational resilience of 3rd parties
Ensure 3rd parties have adequate contingency plans
Governance and Oversight
Board responsibility to approve the list of identified important business services and impact tolerances
The appointment of a Senior Management Function (SMF 24) to be accountable and responsible for operational resilience
Documented self-assessment of compliance
Douglas Lyons
October 5th 2023
ความคิดเห็น