New BoE paper on operational resilience of critical third parties vital to prevent growing cyber risks – comment

With the Bank of England (BoE) publishing its discussion paper on regulatory standards foroperational resilience of critical third parties, David Feltes, Co-head of Operational Resilience at Capco, welcomes this push to foster greater industry collaboration and protect customers, firms, and the overall market: “The BoE’s new paper on operational resilience of critical third parties is certainly welcome. The BoE isquite rightly looking to have critical third party (CTP) standards ‘align to and build on the operational resilience framework for firms and FMIs’. The BoE wants to see convergence between firms’ own services and the horizontally integrated services provided by third parties. As these CTP services span multiple firms (and multiple services within a single firm), the possibility of contagion and threats to overall stability are accordingly higher.

“A particular area of concern to emerge this year is how firms can control the impacts on their services if they do not control those processes or technology outsourced to a third party. While recent emerging technological trends have seen productivity rise, costs fall and operational risk decrease, the key question – and risk gap – centres on how a firm quantifies their recovery times and overall resilience when they are dependent on a horizontally integrated process outside their control?

“CTP firms will ultimately need to have resilience embedded into their risk frameworks, and it must also be an integral part of their culture and service delivery. To ensure robustness, the BoE should insist onindependent scenario testing, either by an external consultancy or by an industry body with BoE approved standards. Regulators also have the opportunity to require more sophisticated digital mapping and automated tooling to track the technology and processes associated with CTP service provision. This will be required to provide statistical measurements of recoverability and resilience, and the CTP framework would be an excellent sub-set for essential quantitative testing and monitoring.

“We believe the Prudential Regulation Authority (PRA) are primarily concerned about centralised thirdparty providers, such as large cloud providers and data/tech used by multiple firms. These ‘too big to fail’ tech entities providing specialisation and economies of scale, but are also a concentration risk and prime targets to cyber-attacks. While the regulatory burden will be a cost to any entity in scope, the PRA is right to ask the industry which services are truly critical CTPs and which have a high level of substitutability.

“The emergence of stronger resilience standards for critical third parties is an inevitability within modern financial services, with economies of technology specialisation pushing services further outsidethe control of financial firms and the uncertainties of cyber-attack black swan events bringing heightened risk of a financial world in flux.”