What the New Operational Resilience Rules Mean for Network Management

How automating network management will be vital for financial institutions who need to meet the PRA/FCA, FED & ECB regulations for availability & security

In a co-ordinated effort to minimise the impact of IT glitches, cyber attacks, and other disruptions on financial markets and the availability of banking services to consumers, regulators in the UK, the USA and in Europe have co-ordinated efforts to introduce new regulations requiring financial institutions to demonstrate appropriate levels of operational resilience.

The Importance of Operational Resilience for Financial Institutions

Maintaining a secure, reliable and available network is important for all organisations, but its importance is amplified within the financial sector. 

A fundamental part of operational resilience is being able to continue providing mission-critical services in the event of disruptions, which, in turn, depends on the stability and availability of an organisation’s network.

Today, customers expect 24/7 availability of key services, such as online banking accounts cash withdrawals and credit union accounts. Customers rely on financial organisations to not only keep their finances secure, but to also safeguard their data and identities. 

Commercially, financial institutions such as Banks need to be able to communicate and transact globally on request with clearing houses, settlement platforms, stock markets and payment processors. With the RTGS system in the UK alone processing over £600 billion of transactions every working day, just one financial institution experiencing a severe and extended network outage can have systemic impacts on the wider system. 

It’s evident that solid network management underpins all internal and customer-facing systems upon which a functioning financial sector depends. Monitoring network components and performance, combating cyber threats, backing up configurations for key network devices and enabling the swift recovery of network infrastructure after a disruption are all vital aspects of ensuring operational resilience.

The New Rules At a Glance

The Bank of England’s Prudential Regulation Authority (PRA) worked with the Financial Conduct Authority (FCA) to establish the rules for demonstrating operational resilience within financial institutions. The rules will come into force on March 31st, 2022. Here are the rules at a glance:

  • Identify important business services. These are services that, if disrupted, could cause intolerable harm to the consumers of the organisation’s services or pose a risk to market integrity. Such disruptions commonly stem from network outages, network hardware failures, and misconfigurations in the network. 
  • Set an impact tolerance. For important business services, the impact tolerance is the first point in time at which a service disruption, such as a security breach that renders an online banking service unavailable, would cause intolerable levels of harm to consumers or pose a risk to market integrity. 
  • Testing resilience. Financial institutions need to demonstrate they can stay within their impact tolerances for important business services. This involves acquiring adequate backup solutions that can restore networks swiftly and then using scenario testing to demonstrate the ability of such solutions to help remain within impact tolerance under different plausible situations.
  • Communicating disruptions. Financial services companies must provide clear, timely and relevant communications to stakeholders in the event of operational disruptions. Furthermore, the FCA expects to be notified of any failure by a company to meet an impact tolerance. 

While the Bank of England rules are specific to the UK, there is a global call to strengthen operational resilience in the financial sector as a whole. For example, The Basel Committee released a 2020 paper on Principles for Operational Resilience. In the same year, the US Federal Reserve released an interagency paper on Sound Practices to Strengthen Operational Resilience.

The need for improved operational resilience in the financial sector calls for some coordination in strategies, tools, and methodologies. Existing standards, such as the US NIST framework, are candidate standards for cross-regional adoption. The NIST framework specifies security measures, tools, and controls that help ensure the reliable functioning of critical network infrastructure. 

Although it remains to be seen whether Nations will work together to coordinate the implementation of a single framework, it is clear that there is a global shift towards accountability and operational resilience within financial institutions.

Consequences of Not Being Operationally Resilient

Not being operationally resilient is a huge risk for financial institutions that carries a range of damaging consequences, such as:

  • Costs: the costs of a severe and uncontrolled operational disruption can run into hundreds of millions of pounds. TSB’s 2018 IT outage, which stemmed from a botched IT migration that lacked proper testing and business continuity plans, cost the bank £330 million in damages. 
  • Non-compliance fines: aside from direct compensation costs, breaching operational resilience regulations can result in a fine for non-compliance. Details of non-compliance fines under the new UK regulations aren’t yet known, however, an indication can be gleaned from the UK government response to the EU’s NIS Directive on cyber resilience back in 2018, which alluded to fines of up to £17 million.  
  • Reputation loss: customers and other key business partners may switch to a different financial services provider following a network disruption that makes key services unavailable or causes data loss. Customers and clients in financial services expect high availability and secure networks that protect their data.  
  • Market integrity. Severe network outages that render key financial services unavailable for long periods pose a wider risk to market integrity. 
  • Missed opportunities. Extended network downtime means organisations not being able to trade in the financial markets, which can result in missed (profitable) trading opportunities.  

Solutions for Improving Operational Resilience 

The solutions for operational resilience should principally revolve around building a resilient  IT network infrastructure. It’s imperative that the networks of financial institutions are equipped to adequately respond to hardware malfunctions, software errors, and cyber attacks such that impact tolerances aren’t exceeded for important business services. The solution should include:

  • Assessing current systems and processes. The steps to improve resilience begin with assessing how the failure of an individual network process impacts the delivery of important business services. As per the regulations, this assessment includes scenario testing. Any failures to meet impact tolerances call for investment in additional systems, oversight, and tools. 
  • Automating manual processes. The complexity of network management at financial institutions makes relying on manual processes a risky venture. With studies suggesting that up to 82% of network outages are caused by human error, businesses are rapidly moving towards automated solutions that can implement network configuration changes and perform network device health checks without human input. 
  • Ensuring high availability. Highly available networks can experience faults and outages that have minimal impact on end users. The tools that can help maximise availability include network and device monitoring, network segmentation to optimise traffic flow, and having redundant network components.  
  • Using appropriate backup and disaster recovery solutions. In the event that a disruption takes the network offline for any amount of time, it’s vital to have a backup and disaster recovery solution that can quickly restore the network. Backup and recovery should encompass multi-vendor network, security and storage devices and their configurations. 

At Restorepoint, we can help financial organisations improve their operational resilience and achieve compliance with the new regulations by strengthening network resilience.

We help customers such as Deloitte, Societe Generale, Fidelity International, Unicredit and Luxembourg Stock Exchange to dramatically shorten audit cycles, reduce network downtime and meet internal compliance standards by automating critical network processes.

Book a live demo and see how you could use Restorepoint to drive network efficiency, eliminate time-consuming manual processes and achieve operational resilience. 

Stay in touch

Thanks for subscribing!
Oops! Something went wrong while submitting the form