In a speech earlier this month, Nick Strange, Director at the Prudential Regulation Authority (PRA), spelled out the PRA’s current view on operational resilience following the publication of its discussion paper DP1/18 last year.
He re-iterated the key points laid out in the original paper, highlighting the attention it has attracted and the positive engagement that the regulator has had with firms. He also emphasised how important it is for the financial sector that operational resilience levels are enhanced.
He also confirmed that a consultation paper will be published later this year with proposed policies and the approach to supervising operational resilience. As much as possible, this will aim to allow firms to build on their existing policies, and place them within a clear framework. There will be an emphasis on effectiveness of firms’ governance and risk management functions in overseeing operational resilience capabilities.
An important part of the speech noted that the PRA will hold a cyber stress test later this year, which will assess an impact tolerance for payment failures in a scenario in which firms’ payment IT systems become unavailable. The Financial Policy Committee (FPC) will publish its own cyber-disruption impact tolerance later this year and the regulators will hold the industry to this level through the cyber stress test and thus gauge firms’ ability to recovery from and maintain business services during an event. If firms cannot meet the FPC’s proposed tolerance levels for outages, then it would consider the need for a collective solution.