The December 2019 extension of the Senior Managers and Certification Regime (SMCR) is looming. From then, the regulation will apply to Financial Conduct Authority (FCA) solo-regulated companies, pushing them to put a renewed focus on operational and cyber resilience. In fact, the Bank of England makes it clear that the regulation will hold senior managers accountable for resilience. So, what can you do to prepare your firm for SMCR and the increasing regulatory focus on operational resilience?
Get the basics of cyber resilience right
Cyber-attacks generally exploit weak processes and human vulnerabilities. To prevent this, we need to get the basics right. Following the National Cyber Security Centre’s Cyber Essentials and training staff to be your strongest defence will provide a solid foundation.
CBEST is a security exercise mandated by the Bank of England. It’s focused on the more sophisticated and persistent attacks on critical systems and essential services. By conducting CBEST testing, organisations replicate the evolving threat landscape and ensure continued resilience to attacks. It’s so effective that we’re working with some clients to run CBEST tests as a hygiene practice on top of the regulatory requirement.
We help protect your organisation's most important assets against cyber threats
As a management team, you’ll want to run simulations to understand your preparedness. We’ve been working with over 15 global financial services firms, including NEX Group, to simulate cyber-attacks, data breaches and security weaknesses in the supply chain. This creates a much clearer understanding of how crisis procedures will work in practice and the potential impact on customers and the wider economy.
Understand the cyber security risks facing your organisation and establish robust and pragmatic governance, and the associated management systems, to address and reduce the impact of those risks.
While not caused by a malicious attack, TSB’s £100 million loss caused by IT operational issues in 2017 highlighted the need to be able to respond quickly and effectively to adverse events. It’s often difficult to predict the cause of an outage but the skill with which a firm responds, including communication with customers and regulators, can make an enormous difference to the impact of the outage.
Overall, cyber and operational resilience represent a competitive opportunity for established financial services organisations and new entrants. As the UK adapts to an uncertain future, operational resilience is also vital to maintaining trust with your customers and the regulators.