Operational resilience of the financial sector

We work to make sure banks and other firms that offer financial services in the UK can overcome disruptions to their services.

Overview

We work to make sure the financial sector in the UK is resilient to any disruptions to its operations.?

The financial sector includes banks, building societies, insurers and financial market infrastructure providers (FMIs). We carry out this work together with the UK’s two other financial authorities: HM Treasury and the Financial Conduct Authority.

Our objectives are:

  1. To keep retail and wholesale markets open and functioning. Except if doing so would threaten UK financial stability. Specifically, we aim to keep payment and settlement systems open to complete the day’s business.
  2. If markets do not remain open, to ensure an orderly and early return to trading. For example by providing a single point of information and effective channels of communication. And formulating an effective and coordinated response.??
  3. To involve relevant infrastructure providers and market participants when we make decisions affecting markets.?
  4. To facilitate market initiatives that help build operational resilience.

If you work for a firm or an FMI and need more information in the first instance, please contact your supervisory team. You can also email: BusinessResilienceTeam-SRS@bankofengland.co.uk.

Operational resilience

Operational resilience is important for maintaining financial stability in the UK.?

By ‘operational resilience’, we mean the ability of firms, and the financial sector as a whole, to absorb and adapt to shocks and disruptions, rather than contribute to them.?

It extends beyond business continuity and disaster recovery. Financial firms and FMIs must have robust plans in place to deliver essential services, no matter what the cause of the disruption. This includes man-made threats such as physical and cyber attacks, IT system outages and third-party supplier failure. And it also includes natural hazards such as fire, flood, severe weather and pandemic.

As a central bank and as a regulator of financial firms and FMIs, we have an important part to play in improving the resilience of the sector.

Our approach to operational resilience

To support operational resilience we:

  • supervise individual firms and FMIs?
  • engage with the UK sector? and international authorities? to drive collective action??

We have set out our approach to operational resilience for firms in our policy statements. This work is carried out by the Bank of England and by our Prudential Regulation Authority.

In summary, we ask firms to:

  • identify important business services. Boards and senior management must identify and prioritise services that, if disrupted, would impact our objectives and? the public interest
  • set impact tolerances. Firms must say to what extent they would be able to continue important business services following severe but plausible disruptions
  • ensure they can remain within impact tolerances. Firms must map their important business services and test their capacity to continue them to the agreed extent. Where firms identify vulnerabilities which might stop them from remaining within impact tolerances, these should be addressed

We have set out our policy on operational resilience of FMIs.

How we set operational resilience policy

Our Financial Policy Committee?looks at the resilience of the system as a whole. The committee sets out its priorities twice a year in its Financial Stability Report.?

Our Prudential Regulation Committee?and Financial Market Infrastructure Board?focus on the operational resilience of the firms and FMIs we regulate.

Collective action on operational resilience

The Cross Market Operational Resilience Group (CMORG) leads sector-wide collective action on operational resilience.?

The group is made up of around 25 members, firms across retail, wholesale, FMIs, insurance, the financial authorities and the National Cyber Security Centre. It is co-chaired by senior executives of the Prudential Regulation Authority (PRA) and UK Finance.?

CMORG has three core objectives. These are to:

  • identify risks to the resilience of the financial sector
  • develop solutions to improve the operational resilience of the sector
  • share knowledge

CMORG is supported by specialist sub-groups. These sub-groups design, manage, and deliver operational resilience improvements for the sector. The work undertaken by these groups is voluntary. Sub-group chairs meet regularly to discuss CMORG’s activities and identify areas for more collaboration.

CMORG is supported by a Project Management Office (PMO). The PMO is jointly resourced by us and UK Finance. It is developing a website to improve awareness of CMORG activity.

CMORG-endorsed capabilities (including good practice guidance, response frameworks and contingency tools) have been developed collectively by industry to support the operational resilience of the UK financial sector. The financial authorities support the development of these capabilities and collective efforts to improve sector resilience. However, their use is voluntary and they do not constitute regulatory rules or supervisory expectations; as such, they may not necessarily represent formal endorsement by the authorities.

The Financial Services Cyber Collaboration Centre (FSCCC) is a partnership led by CMORG. It aims to help identify, investigate and coordinate the response to incidents that have potential consequences for the financial sector. It analyses and distributes information to produce timely outputs for the benefit of the whole sector.

What happens if there is a disruption in the financial sector?

If there is a disruption, individual firms should contact their usual business or supervisory contacts at the Bank of England or the Financial Conduct Authority.

The sector’s response as a whole is facilitated by the Sector Response Framework (SRF). This framework sets out how organisations across the sector and government are connected. It also explains how they will respond to incidents individually and together.?

Its purpose is to:?

  • enable firms and FMIs, and the sector, to make collective, timely, informed decisions in response to incidents
  • provide a reference to good practice, contingency tools and plans, which may be invoked as part of a sector response
  • include both decision makers and subject matter experts
  • be organised on a modular basis, so that components of the SRF can respond
  • be recognised by the financial authorities as the principle structure by which the sector will respond to incidents
  • support collaborative engagement between the sector and the UK financial authorities (see below)
  • be able to engage with frameworks in other jurisdictions, if required

The UK’s three financial authorities are the Bank of England (including the Prudential Regulation Authority), the Financial Conduct Authority and Her Majesty’s Treasury.?

If disruptions have the potential to impact the sector as whole, the UK’s financial authorities act together. The Authorities Response Framework co-ordinates their response.?

Cyber resilience

To maintain the cyber resilience of the UK financial sector and to support our supervisory oversight, we have developed a number of cyber assessment tools.

Cyber assessment tools include CBEST and CQUEST.

CBEST

CBEST provides a framework for regulators to work with firms using a simulated cyber attack. This enables firms to explore how an attack on the people, processes and technology of a firm’s cyber security controls may be disrupted. 

The aim of CBEST is to:

  • test a firm’s defences 
  • assess its threat intelligence capability
  • assess its ability to detect and respond to a range of external attackers as well as people on the inside 

Firms use the assessment to plan how they can strengthen their resilience.

We base the simulated attacks used on current cyber threats. These include the approach a threat actor may take to attack a firm and how they might exploit a firm’s online information.

An accredited service provider carries out the simulation. They act within legal, ethical and moral constraints. They aim to get through a firm’s defences using the cyber kill chain. They also assess if the confidentiality, integrity or availability of systems and processes that deliver a firm’s important business services can be compromised.

CQUEST

If we need to assess a firm’s cyber resilience to a higher level, we use a self-assessment questionnaire called CQUEST. It asks questions such as: 

  • Does your firm have a board-approved cyber security strategy? 
  • How does your firm identify and protect its critical assets? 
  • How does your firm detect and respond to an incident, recover the business and learn from the experience? 

The answers provide a valuable snapshot of a firm’s cyber resilience capability, and highlights any areas for development.

More information

CBEST Logo
This page was last updated 13 September 2021

Give your feedback

Was this page useful?
Yes
No
Add your details...