A number of high profile data breaches have put operational resilience at the top of the regulatory agenda this summer. Richard Whittington, Product Manager at Unicorn Training, takes a look at what that means for you and your firm.
TSB, Ticketmaster, British Airways, Dixons Warehouse – you don’t need it spelling out what all of these huge businesses have had in common this year.
But while these might be the latest or most high profile corporations to have their reputations go through the ringer after massive data breaches or systems failures, they are not the first and guaranteed they won’t be the last.
That is why this summer the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published their joint discussion paper on an approach to improve the operational resilience of firms and financial market infrastructures (FMIs), for which the discussion period closes in October.
This paper reinforces the need for firms and FMIs to develop and improve response capabilities so that any wider impact of disruptive events is contained. It states the speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response.
The biggest thing I took away was firms are still focusing on technical resilience and not thinking about the human aspect
Its key message is simple – no longer is it ‘if’ this happens to you, but ‘when’ and how are you prepared for it?
Shortly after the publication of this paper I joined an extremely well attended UK Finance webinar, where both the Bank of England and FCA introduced the topic of operational resilience.
The biggest thing I took away was firms are still focusing on technical resilience and not thinking about the human aspect, despite the fact some of the most headline-grabbing failures have highlighted concerns around single person dependency, staff resilience and reliance on small or sub teams not as ‘gold-plated’ as the ‘A’ team.
Additionally, when 90 per cent of all successful cyber security breaches rely on human error (Verizon 2015 Data Breach Investigations Report) it is astonishing that the torch continues to be shone on the technology not the people, when the concept of operational resilience is so enmeshed with risk management and 3LOD.
In this age of accountability and culture, and with the Senior Managers and Certifications Regime leaving no hiding place from the regulator, the mindset that IT can solve everything on its own has to change. After all Senior Managers are only as informed as the teams they trust to report to them.
By this time next year we will know how firms will be regulated on operational resilience. But that doesn’t mean you should wait for the final report to consider the training implications, as with ‘the speed and effectiveness of communication’ so explicitly referenced in the discussion paper, the human aspect will be central.
Inevitably T&C will play a key role in all of this.
First and foremost training will be required as to what operational resilience actually is across all levels, from frontline staff to senior managers, at every firm.
Cyber resilience is a huge part of operational resilience, yet recent UK Government research showed only 20 per cent of organisations provide cyber awareness training for their staff. Accordingly, staff should be given the skills, awareness, knowledge and confidence to make the right decisions in the face of growing cyber threats.
GDPR and cyber resilience are also inextricably linked, so mitigating risk through embedding a firm-wide culture of good data protection behaviour is fundamental.
As our partners AXELOS Global Best Practice (a joint venture between the UK Government and Capita plc) attest, you need to help your people become your greatest information security asset. That comes down to effective training rooted in relevant, digestible and impactful content that delivers real behavioural change.
AXELOS RESILIA® Frontline suite of cyber security awareness training includes courses on protecting information, safe device use, managing online risks and keeping safe online, while to support this firm-wide education, we are consolidating our risk management and 3LOD training into new operational resilience content.
Then there is the chain of command and knowing you have competent (even certified) teams and/or individuals within the business that can step into the breach to, as the discussion paper states, contain the ‘wider impact of disruptive events’, whether that be a significant data breach or a major systems failure.
For example, where does the information you will need to create competency assessments currently sit? Is it offline on paper forms, online or a mixture of both? If it is online does it sit on different systems across HR, compliance and L&D? What are your onboarding processes around GDPR and cyber resilience for new joiners? How do you identify and fill knowledge gaps and log and report on individual activity?
Especially in the world of challenger banks and new fintech start-ups, teams are often small and staff turnover can be rapid. So how do you make sure critical knowledge isn’t lost from the business? What succession planning policies and procedures are in place so that ‘single person dependency’ doesn’t become a business-threat should a key person leave the firm, be off sick or on holiday?
The SMCR underlined the need for firms to have robust performance management and workflow systems in place, where recording, file checking and reporting against your T&C scheme is as effective and accessible as possible. Whatever the new regulation around operational resilience ends up being, it will need the same.
So when, not if, the unthinkable does happen to your firm, how are you prepared?