IT Risk – Financial Services

A Reflective Piece – The Treasury Select Committee on IT failures within the financial services sector (2019)

The Treasury Select Committee launched a review into IT failures within the financial services sector in November 2018, with support from expert witnesses and contributors to gain a full view of operational resilience in the sector at that time. 

From a UK banking perspective and now sitting 2 years on, I found looking back on this review particularly fascinating because it centred the discussion on the key issues within financial services technology. It also forecasted some pretty accurate expectations for operational resilience.

I think this review shows just how long it can take to formulate discussions, prompt change within regulation and execute on that change within the organisations. That is one big oil tanker to turn around! 

The Paper

The paper provides an in-depth review and offers 55 conclusions back to the sector and UK regulators. Here are my summarised points below of what I have taken from the report:

  • The focus on operational resilience will probably continue. (It did)
  • PWC advised that organisations face the challenge of ageing legacy infrastructure that is hard to maintain, expensive and risky to replace (TSB being a great example there…).
  • Outages in the financial services sector are becoming more frequent and publicized and the number of incidents reported to the FCA has increased by 187% in the past year.
  • The lack of consistent and accurate recording of data on operational incidents is concerning.
  • Poor change management is one of the primary causes of IT failures. 
  • The cloud service provider market stood out as a source of concentration risk during the enquiry.
  • Firms cannot use third-party failures as an excuse for when incidents occur. Regulators are not observing a good standard of management of third parties by regulated firms and they should amend, as appropriate, their rules or guidance to prompt an improvement.
  • Firms are trying to work out how operational resilience fits in with some of the other requirements as regulators already have an operational continuity.
  • The senior managers regime does not apply to financial market infrastructure, for example payment systems, which need to be included within the scope of resilience.
  • The TSC and regulators need to prioritise publication of the final policy and guidance. In responding to this report the regulators should set out their upcoming timetable for publication. (They did)
  • Holding individuals and firms to account when IT failures happen is essential, not only to prevent individuals making the same mistakes again, but to also to focus the attention of senior management on the risk of incidence and incident management. 

Crystal Ball or what?

It is as encouraging as it is frightening to see that some of the observations and recommendations from this report have fully taken flight since it’s publication. It’s almost as if the collective insight had a crystal ball or something! hmmm.

Of course there is no crystal ball but rather an accumulation of incidents or near misses that encourage the industry (and it’s regulators and government) to take a closer look at this space. I know none of these things happen by accident. The very fact that the government are sat around in London with all of these expert guest witnesses and consultants is very telling. This review comes off the back of a series of IT failures and denial of services to customers within the UK retail banking sector. The collective insight has set the direction of travel and the reported observations and recommendations have progressed on significantly since this point (in my opinion).

Ain’t no party like a Third Party

The emergence of third party governance and oversight as a significant risk has featured as a key point in the post-mortem of many failures internationally and cross-sector. The need to do business with an organisation to achieve a commercial or strategic goal (often at pace) can, and has, won in the face of risk that can eventually manifest into a reality. There are a number of case studies out there that already exist, where you will see there is often a third party that creates a weakness in the operation and from which an incident subsequently occurs. 

If you look at data breaches for example you only have to do a quick Google to see how many major organisations around the world have been impacted by a third party vulnerability which has led to a major data security breach. Here is an example

I wonder if the major increase in the number of reported incidents to the regulator has anything to do with organisations moving towards cloud services / third party relationships?

The Regulators Produced

Maybe those writing this report secretly knew that the timelines for operational resilience within UK financial services were already set?  I say this because the March 2022 deadline to deliver on the new requirements was quickly put in place shortly after this review. Nevertheless, the time was set out and the UK financial services have devoted a significant degree of attention to what this new regulation might mean and how to address it within their respective organisations. This includes; the identification of key business services; the defining of tolerance thresholds; and the development of severe but plausible scenarios for which those tolerances can be tested against. 

One of the other things that I’ve seen debated in the last couple of years within the business continuity space is – how does all this hang together? Many professionals are trying to ascertain exactly what content they can leverage from what they already have against the new stuff. 

Final Remarks

I personally take great comfort in looking back on this review and seeing the direction that the UK financial services has taken. Several years ago, when operational resilience was being  debated, it was very difficult to see what would change within the current risk framework and what methodology would be born out of this requirement. However, now you can certainly tell there is a high-level methodology that can be used as a guide to proportionately implement something into your organisation.

I guess the million-dollar question is whether in 10-years time will we see a change in the level of reported incidents in a more positive way compared to the 187% increase flagged in this review? I’d hate to see all this good work go to waste!