Incident response for financial services: changing regulation

Ransomware, denial of service attacks, insider threats, inadequate supply chain issues and cloud security all remain threats in 2021 for financial services businesses, according to data published by the UK’s Financial Conduct Authority (FCA). The Bank of International Settlements has also said that working from home and the frequency of cyber events during the Covid-19 pandemic have been higher in the financial services sector compared to many other sectors. It is in this context that regulators are revising their expectations for the steps that should be taken to respond effectively to cyber and other operational incidents.

For businesses that have operations within the EU, major change is on the horizon. In September 2020, the European Commission proposed a new framework for identifying and reporting major ICT incidents. This framework will overlap with the existing General Data Protection Regulation (GDPR) and requirements arising under the Network and Information Security Directive (NIS Directive). A draft NIS Directive 2 has also been proposed which will have an impact.

In the UK, the FCA and Prudential Conduct Authority (PRA) have made incident response a core component of their operational resilience framework, with stiffer requirements set to take effect in March 2022. In the US, the financial regulators have also taken recent steps to redefine expectations for appropriate incident response action.

The European Commission’s approach to incident response

In its draft regulation on digital operational resilience, the Commission has introduced a new regime for responding to and reporting “major ICT-related incidents”. Financial entities are to report these incidents to supervisory authorities within shorter timeframes than those set out in the GDPR for personal data breaches, where a backstop time limit of 72 hours for reporting applies. They are also to follow up initial reports with intermediate and final reports which include root causes analyses and actual impact figures. 

The Commission has also included a requirement for financial entities to inform their clients whenever a major ICT-related incident “may have an impact on” financial interests. This is in contrast to the GDPR requirement to inform customers where a personal data breach is “likely to result in a high risk” to the customer.

In a further contrast to the GDPR, the draft regulation on digital operational resilience does not clarify when a business would not need to inform their customers of an incident. That is the case under the GDPR where the business has taken measures which ensure that the high risk to customers is no longer likely to materialise. 

While the Commission’s objective of protecting financial consumers is clear, the danger is that overlapping and inconsistent regimes will create unnecessary reporting burdens for financial entities in implementing effective incident response regimes. It is also not clear that the more stringent standard for informing customers will serve their best interests.

Unlike GDPR, the draft regulation does not attempt to balance the need to inform consumers whenever they face risk against the risks of overcommunication. The risks of overcommunication include the potential to create greater awareness about vulnerabilities even where they have been effectively addressed and would benefit from less publicity.

The PRA, incident response and scenario testing

As part of its broader work on operational resilience, the PRA has set out steps that regulated businesses should take to prepare for and deal with an incident. At the centre of its approach is a clear focus on scenario testing.

Businesses the PRA regulates should identify severe but plausible scenarios which could lead to disruption. Part of this activity involves reviewing previous incidents and near misses within the regulated entity itself or its broader group, and those known to have taken place across the financial sector “and in other sectors and jurisdictions”.

The PRA expects regulated businesses to plan for cyber incidents that could occur regardless of whether data is in transit, in memory or at rest. Strategies therefore need to account for the role third party suppliers could play in an incident.

Where significant incidents occur and the cause is a material supplier, the regulated entity is expected to retain the right to terminate the arrangement in certain circumstances. Those circumstances include where a sub-contractor causes “extensive and unmanageable operational disruption” or where the supplier fails to deliver appropriate remediation following an incident.

The FCA’s broad rules

Many of the FCA’s requirements for incident response parallel those of the PRA and the two regulators have indicated that work undertaken to comply with the requirements of one regulator may often be leveraged to comply with those of the other. The FCA’s reporting rules, however, are broad and may cover incidents that are different from those addressed by other regulatory regimes.

According to the FCA, regulated entities are expected to report “material operational incidents”. An incident may be material if it results in a significant loss of data, the unavailability or loss of control of IT systems, affects a large number of customers, or results in unauthorised access to IT systems. 

Its new operational resilience rules, which take effect in March 2022, require regulated entities to focus on the effectiveness of their communication strategies in the event of operational disruption. As part of those strategies, regulated entities are expected to consider how to provide “warnings or advice quickly to clients”, use effective communication methods to gather information about the cause, extent, and impact of operational incidents, and ensure that their choice of communication method takes account of the circumstances, needs and vulnerabilities of their clients.

US regulatory response

The US federal bank regulatory agencies are currently consulting on updated guidance for risk management in the context of third party relationships. The draft guidance that has been prepared details some of the steps to be taken in response to an incident.

The agencies provide that regulated entities should review their third party providers’ incident reporting and management programs to ensure that their processes meet the bank’s expectations and regulatory requirements. They should also compare their materiality thresholds with the third party’s procedures for ‘immediately’ notifying service disruptions and security breaches that pose significant risk.

The agencies have also focussed on the allocation of responsibility between regulated entities and their suppliers in the event of an incident. According to the draft guidance, banks should include in their regulatory notifications of incidents “the powers of each party to change security and risk management procedures and requirements”. Notifications should also set out how the regulated entity intends to “resolve any confidentiality and integrity issues arising out of shared use of facilities owned by the third party”.

Banks are also to “stipulate whether and how often” the bank and the “third party will jointly practice incident management exercises involving unauthorised intrusions or other breaches of confidentiality and integrity”. This is broadly consistent with the PRA’s expectation that regulated entities will require their material suppliers to implement and test business contingency plans and take reasonable steps to support the testing of the regulated entity's plans.

Approaches taken across the sector

A range of approaches is currently being taken towards implementing effective incident response. Many businesses are stepping up their effort to actively monitor cyber threats and engage external specialists as part of the process. Others are focussing heavily on the recruitment of specialist internal teams, moving to upskill staff on cyber related issues, and integrating cyber skills and knowledge into the wider business.

Some businesses are enhancing board oversight by establishing advisory committees that consider cyber risk – in the context of operational resilience specifically and in other contexts too. Others are focussing on weak points. For many, this includes identity governance administration and access management.

The need to settle on a consistent hybrid home and office working model and policy is understood to be a core risk which could give rise to further cyber concerns. Strategic digital transformation projects aimed at improving the customer experience and engagement are also seen as creating increased potential for cyber-related operational disruption to occur.

Looking forward

With a changing regulatory landscape on the horizon, it is critical that financial services businesses understand all relevant regulatory expectations. Teams focussed on internal controls and processes and those that manage third party relationships must continue to align to ensure that IT failures, cyber attacks and other forms of operational incidents are effectively managed.