New regulation pushes IT failures to the fore

Written by Peter Walker

Regulatory action on operational resilience within financial services firms is likely to increase the urgency with which IT and data security work is considered at board level, according to experts.

In July, the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a joint discussion paper on an approach to improve the operational resilience of firms and financial market infrastructure, in the wake of scandals involving the likes of TSB and Visa.

It envisaged that boards and senior management can achieve better standards through increased focus on setting, monitoring and testing tolerance to specific cyber attacks, technological disruptions, or outsourcing failures.

The regulators reinforced the need for firms to develop and improve response capabilities so that any wider impact of disruptive events is contained. The discussion period ended earlier in October and guidance is expected later this year.

Guy Warren, chief executive at financial services software firm ITRS, explained that the regulations will greatly increase the focus on IT resilience in financial institutions.

“Today, this is taken as an IT department accountability, and only become the business’ responsibility when there is a significant issue or outage,” he said. “In future, the business will need to stay briefed on all issues which may affect resilience and ensure sufficient resources and focus is kept on IT activities.”

The focus on operational resilience comes on the back of increased accountability under the updated Senior Managers and Certification Regime, under which individuals across different departments must take responsibility in the event of disruption.

The creation of an additional Chief Operations Senior Management Function (SMF24) puts responsibility for the internal operations and technology on named individuals within the IT department, so the buck stops with a named person or persons - more than one are allowed - if there’s a cyber hack or data breach.

Richard Pike, chief executive of RegTech firm Grovenor Software, said the way the regulator enforces the regulation will dictate how keen people are to take on the responsibility.

“People may look at it and say ‘well why would I take that risk?’, as effectively what they can do is fine you personally and strip you of your ability to work in financial services, so it definitely adds to the levels of importance that a role in IT holds.

“The good side, that we’re seeing in the banks already, is that means these things are a lot clearer to people, whereas before, it might have been a bit muddy as to who was in charge of what,” he continued, adding: “But if there’s a problem on your watch, it can be very serious - you’d certainly want to be paid for the job, so to speak - so it may cause issues in the staff market.”

Pike previously suggested that the new regime may lead to a ‘brain drain’ within the senior levels of banks, as some executives would rather move or retire than take on the additional responsibility.

Regulators want to have a clearer path to enforcement following IT disruption in financial services firms, but Pike warned that the implementation still runs the risk of not eliminating the root cause.

“You want to be really clear that they are catching the bad actors, and not just the people who couldn’t manage themselves correctly, or had problems with the organisation and they ended up being scapegoated,” he stated.

“If the industry started to see people being scapegoated or getting fined for what seems the wrong reasons, then you do cause a real problem with people just not bothering to take up those roles anymore.”