FIN.

Regulators publish guidance on cyber response and recovery

The BoE, PRA and FCA have published guidance to firms and FMIs setting out some good practices they have seen on cyber response and recovery capabilities. It hopes boards can use the findings to support discussions about operational resilience, which could focus on elements like:

  • how much assurance they have that the firm can deliver its IBS within impact tolerance;
  • whether the firm has correctly calibrated its scenarios for cyber disruption testing; and
  • whether the firm has a clear plan for restoring and rebuilding systems and data after a cyber attack.

While the practices mainly come from large firms, the regulators think the underlying principles will be of wider use.

The regulators have been particularly pleased to see:

  • greater focus on simulating destructive scenarios and setting impact tolerances that reflect the potential for broader systemic impact;
  • self-assessments that include a transparent and timely pre-defined crisis communication plan;
  • investment in immutable back-up capabilities and recognising what is the most critical data to be prioritised;
  • firms taking active measures to ensure what a relevant third party’s resilience capabilities are or, if this is not possible, setting out workarounds; and
  • acting together to share knowledge.

Michael Lewis