Simon Chard, partner, and Adam Stage, senior manager in operational resilience, both from PwC, explain how firms can better protect themselves from technology threats
by Bethan Rees
Take our Cyber crime Professional Refresher to earn 1.25 hours' CPD
In the year to end September 2018, the FCA received 187% more reports of technology outages by firms than in the corresponding period for the previous year, according to its November 2018 report on cyber and technological resilience. Cyber attacks accounted for 18% of those, and out of 296 firms surveyed, most firms rank cyber resilience as their top concern.
A report published on 1 July 2019 by accountancy firm RSM shows financial services firms reported 819 cyber incidents to the FCA in 2018, an increase on the 69 incidents reported in 2017 – a “huge jump”. But a commentary on the report by Steve Snaith, technology risk assurance partner at RSM, suggests that the increase in reporting could be explained in part by firms taking a more proactive response to reporting generally and because of the increased duty to report security and data breaches since the introduction of the General Data Protection Regulation in May 2018.
Whether the number of cyber incidents are increasing, or just the reporting of them, this is still an important issue making headlines in the financial services sector. In June 2019, PwC and TheCityUK, a sector-led body for financial and professional services, published a report about operational resilience in financial services. It details results from interviews with more than 30 financial and related professional services firms on how they are dealing with the growing number of operational threats (including cyber crime and connectedness), how they prevent and recover from them, and how to protect customers.
Simon Chard, financial services partner at PwC and co-author of the report, and Adam Stage, senior manager in operational resilience at PwC, explain some of the report’s findings on what technological resilience in financial services firms means and how companies can work to recover from the inevitable failures a business will face in this fast-paced world.
What are the main technological challenges financial services firms are facing?
Simon: Key areas that are threatening operational resilience for financial services firms include technological innovation, managing change, cyber security and connectedness.
Technological innovation is a double-edged sword as consumers and businesses demand more efficient and secure technology. The speed of technological innovation and the rapid adoption of new, less established technologies is increasing the risk of disruption, especially where firms do not have a clear view of how the technologies fit into their existing infrastructure. However, these new technologies also offer significant opportunities. For example, they can lower barriers to entry for new firms in the market and can expand product and service offerings for consumers.
Automation, including AI applications and machine learning, is helping firms streamline models, processes and operations. The intricacy of technology is increasing, leading to multiple dependencies that are neither transparent nor regulated. Consider the scenario of a small supplier sitting outside the regulatory perimeter that contributes to delivering a firm’s business service to its consumers. While its role may be small, any weaknesses in a supplier’s security presents a key point of vulnerability and, given the connectedness, potential to harm the wider financial services ecosystem.
A company’s approach to managing change will play an important role in developing resilience. Firms will need to upgrade their technology, which can cause complexities – according to the FCA’s report, between October 2017 and September 2018, 20% of operational incidents were caused by IT changes.
In addition, external threats such as cyber attacks are consistently mentioned as the single most urgent concern by senior executives. The Bank of England’s systemic risk survey 2018 H2 results show that 66% of respondents cite cyber attacks as a key source of risk to the UK financial system.
What is the biggest threat?
Adam: People tend to gravitate towards cyber security, as that’s always the threat people hear most about.
However, the domain that is arguably the most challenging to tackle is connectedness. As global financial services embrace digitalisation, they are becoming more connected and interdependent. The result of booming digital touchpoints and multiple data sources is an intensely networked environment, in which every firm is reliant on numerous other participants to operate and serve customers.
It’s not just outsourcing to third parties that can be a threat, it’s fourth and fifth parties being subcontracted too. Firms may not have a clear view of this supply chain so there can be hidden risks. For regulators, the issue of connectedness within the ecosystem and where concentration risks exist is actually one of the hardest things to figure out. Firms would need to gather data from each of the component parts of the system and work out the interdependencies between them to spot systemic risks.
How can firms protect themselves from technological threats?
Simon: Traditionally, firms have found themselves putting all their resources for operational resilience into how to anticipate threats, rather than for recovery from threats.
In the world of operational resilience, we see a shift in mindset: disruption is inevitable. It’s then about how you respond.
Firms should discuss what threats are foreseeable. Firms should be focused and imaginative about what is possible. For example, imagine all of a firm’s systems are down and it has to choose which system to bring back in what order. Would you bring back email or phones first? Or WhatsApp? What’s the most important priority for your firm?
Be wide-ranging about what might be coming your way, rather than looking at the same scenarios. For example, how could climate change disrupt your business?
How can firms protect themselves better against cyber security threats?
Simon: Quite simply, through awareness and testing. The regulators see human error cited by firms as a major cause of incidents. In the cyber context, this could be about the strength of user passwords, or deleting suspicious emails. From that perspective, it’s about constantly reminding staff of their responsibilities in keeping the firm secure, giving them the tools to do so and testing their use, such as through ethical phishing exercises.
Third-party management can be a weakness for a firm. How can this be tackled?
Simon: By understanding where third parties support you in your delivery of service to customers, and in particular identifying where you might have a third party delivering a service to you that may not be material from a financial perspective, but would have a big impact if the service wasn’t provided.
The traditional school of third-party management says that you should identify all your big suppliers and rank them from top to bottom so that you have a big pyramid. For example, you may have outsourced work to firms such as IBM or Accenture, and you should be reviewing their processes.
Firms need sufficient access to their third (and fourth and fifth) parties to gain assurance that risks are being managed appropriately and that measures are in place to prevent and recover from disruption.
Adam: There are ideas in the report to get firms to think differently and challenge the third parties that they’re working with to support the service, not just to do process A, B, C and D, and think of it in isolation.
The final recommendation in the report really emphasises this point (p.51). Firms should acknowledge the importance of aligning their interests with the third party. In the past, a firm’s contracts might be focused on discrete service level agreements and concentrated on delivering the process, without the third party having visibility to know that they are a key part of delivering that service. Now, we’re seeing firms and third parties aligning their interests through the development of common goals and working more closely together through joint operating committees and participation in scenario testing.
How can business structure impact a firm’s technological resilience?
In our report, we talk about establishing “individual accountability and collective responsibility”, which works with the guiding philosophy of the Senior Manager and Certification Regime (SMCR). Regardless of the size of firm it is important for firms to be clear about who is accountable when it comes to operational resilience.
For those firms that fall within the Enhanced SMCR regime, they have specific functions they need to assign including SMF24: chief operations function, which manages the internal operations (including HR), systems and technology of a firm. We also see the SMF6: head of key business area function, as key for embedding resilience into their areas.
About the experts
Simon is a financial services partner at PwC based in London. His focus is on supporting clients in technology, risk and resilience. He has led projects across a range of disciplines in technology, operational risk, operational resilience, outsourcing, programme management and change.
Adam is a senior manager in PwC's Financial Services Regulatory Insights team, with a specialism in operational resilience. His focus is on interpreting domestic and international regulatory developments on the broad subject of operational resilience to support clients. He has a background in risk and operational roles.
Understanding how a firm actually works end-to-end to serve a customer is like using a machete to cut through the jungle. If the jungle represents the firm, then all the vegetation, which grows vertically, represents the business functions. Customers accessing the firm need to ‘cut’ through the vegetation to get from one side of the jungle to the other. Firms are now putting themselves in the shoes of the customer, looking at how they move through the jungle quickly and effectively, and looking at what might stop them in their tracks – what could disrupt them? These are the points where firms need to build resilience.
How can firms measure resilience and how are regulators looking at tackling resilience?
Simon: Firms don’t know how resilient they are. Unfortunately, the way that a firm might find that it’s not resilient is if it has a big problem, or if the regulator starts asking companies to prove their resilience. It’s clear from the FCA’s 2019/20 business plan and the PRA’s 2019/20 business plan, both published in April 2019, that the regulators have their sights set on ensuring that firms are operationally resilient. We explore this perspective more in a blog we’ve published on the PwC website on the regulatory imperative of a firm becoming more resilient.
Adam: The regulators are moving away from a world of allowing firms simply to self-assess; in the past they would just fill out surveys and send it back to the FCA who would conduct analysis to compare and contrast the results and look for outliers; all of this is very subjective. Now, you’ll see the regulators coming into firms and doing their own assessments. They’ll come and do ethical hacking (CBEST) tests and will do supervisory reviews challenging firms to provide documented evidence of how they manage their third parties, or the governance framework around managing change programmes.
Has the introduction of operational stress testing been a good thing?
Simon: It’s embryonic at this stage. In the UK, the Financial Policy Committee is currently testing a scenario in which firms’ payment systems are unavailable, and considering the individual and collective responses. The regulators see it as an important aspect of managing a firm’s operational resilience, not least because it can provide a more lifelike assessment to complement management reporting.
The introduction of operational stress testing has been slow because it’s a big thing for firms to deal with. I think the regulators want to learn the lessons of financial stress testing and make sure that they get it right with firms, so they’re being cautious.
Adam: It’s not just the firms that benefit from stress testing. The G7 completed a cyber resilience exercise in June with 24 international regulators – the case study was the failure of a major bank. They’re trying to figure out how you coordinate internationally when a global multinational firm faces a significant disruption, so it’s helpful to the wider ecosystem.
Is fintech helping or hindering technological resilience?
Simon: There are some really interesting innovations in financial services. Many of those that have come so far have been in the payments space, but the market is growing in other areas. PwC’s disruption campaign looks at the customer appetite for innovation across the different parts of the industry and the maturity of enablers to make it happen. In terms of resilience, I think fintech both helps and hinders. It means that better products or services are available for customers, which can be a good thing, as that’s exciting innovation and people are being challenged. But it makes things more complicated, as it often plugs into an already complex network of legacy IT infrastructure.
In the short term, the financial services system will get more rather than less complicated. And if it’s more complicated then it’s more challenging from a resilience perspective.
Seen a blog, news story or discussion online that you think might interest CISI members? Email firstname.lastname@example.org.