Last year, the Bank of England published new cyber resilience proposals for cloud service providers (CSPs). Indy Dhami, Financial Services Cyber Security Partner at KPMG UK, argues that while this will be a massive challenge for CSPs, it should also be viewed as an opportunity.
In December 2023, the Bank of England – which includes the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) – published the 26/23 consultation paper on the cyber resilience of critical third parties (CTPs), including cloud service providers (CSPs), working with UK banks and Financial Market Infrastructures (FMIs). The focus of the proposals is to manage potential risks to the stability of, or confidence in, the UK financial system that could emerge from interruptions to the services that a CTP offers to Financial Services firms and/or FMIs. This was partly prompted by several historical cloud outages that prevented customers from logging into their banks’ websites and mobile apps and making critical transactions.
As part of the proposed rules, CTPs and CSPs must meet specific requirements, including implementing a robust risk management framework, identifying and managing supply chain risks, ensuring measures are in place to minimise disruption to services and improve resilience, and implementing measures to respond to and recover from incidents. They will also be asked to submit annual self-assessments, undertake scenario testing, provide test incident management playbooks, and share assurance and testing information with banks.
Areas of focus
While this will be a massive challenge for CTPs and CSPs, there is a big opportunity for the organisations that can achieve compliance first and therefore secure a competitive advantage.
To address this, there are several key areas that demand attention. The absence of comprehensive visibility into IT assets poses a significant challenge in identifying internal risks within numerous organisations. To achieve the requisite level of granularity for end-to-end service mapping, a meticulous mapping of IT assets and their configuration is essential to enable the establishment of a comprehensive network infrastructure topology.
Additionally, any software stress testing on service resilience must focus on comprehensive service disruption. This is a substantial departure from existing approaches that primarily emphasise asset recovery. Gaining a stronger understanding of supply chain risk and resilience will be necessary thorough risk management processes and information gathering across multiple parties. Also, third-party contracts must incorporate more detailed information to effectively identify potential risks, as they frequently fall short in providing the level of information sharing necessary to ensure a sufficiently high level of service assurance.
Elements of uncertainty
While CTPs should act now to be compliant when the rules come into force, there are some elements of the regulation that remain up for discussion. For example, one of the criteria by which CTPs are assessed is the materiality of the services that the third party provides to firms and Financial Market Infrastructures. HM Treasury will be defining what services are ‘material’, but it is unclear which services will be selected yet.
Furthermore, the term ‘materiality’ of services aims to build on existing regulatory publications that define systemic risk; however, many organisations are still struggling with their definitions, which adds an additional level of complexity. Until these definitions are confirmed, CTPs should include anything that could even potentially be considered ‘material’, so they are on the front foot.
What does this mean for banks?
It’s not only CP26/23 that CTPs must comply with. There are an increasing number of resilience regulations that will become enforceable imminently, such as the Digital Operational Resilience Act (DORA) and the Monetary Authority of Singapore’s technology risk management guidelines (MAS), which will put pressure on resourcing, operational costs, and profits.
With so much change, there may even be specialised teams established within CTPs whose sole responsibility it is to support operational resilience and regulatory engagement. The operational impact and the related costs that these requirements will have must inevitably need to come from someone’s financial resources and budgets. While some can be absorbed by the CTP, higher cloud costs for banks are expected. This only emphasises the need for cloud firms to be the first movers and use their competitive advantage to boost profits to cover increasing costs.
The rules posed by the Bank of England are incredibly important for the security of UK businesses and members of the public to ensure financial stability and security, and they are undoubtedly a positive step overall. As more and more financial products and services are built and run using digital third parties and cloud service providers, this importance is only set to grow. To get it right, it is vital that CTPs and financial institutions collaborate to find the best solutions for minimising disruption while continuing to provide the end-user with a seamless banking experience.
