Operational Resilience – Regulation of technology providers on the horizon?
Introduction to discussion paper and wider context
The Bank of England, Prudential Regulation Authority and Financial Conduct Authority have published a new discussion paper on further measures to strengthen the resilience of the financial services sector. The paper seeks input on potential powers to oversee critical third parties (CTPs) providing services to regulated firms and financial market infrastructure (FMI) firms. The authorities have published a discussion paper DP3/22 “Operational Resilience: Critical Third Parties to the UK Financial Sector” (PRA Discussion Paper 3/22, FCA Discussion Paper 22/3) dated 21 July 2022. The paper is the latest in a sequence of papers governing outsourcing and operational resilience in the financial services sector.
Over time, it has become more evident that the sector, as with many other market sectors, is increasingly dependent on a number of third party IT and technology service providers, failure of whom could create systemic risks across the sector. This issue has been one that has been recognised for many years, and the possible regulation or regulatory oversight of technology providers has been raised on previous occasions.
However, what may be different this time is that both the EU, and UK government are more actively assessing the importance of technology, and the inherent risks of this for the economy, and in particular have paid greater attention to technology infrastructure. This measure is therefore potentially part of a more concerted call for information to assess comprehensively the contribution of technology to the economy, and the inherent risks in using IT services.
In the UK, recent initiatives in this regard have included legislation to update of the Security of Network & Information Systems (NIS) Regulations 2018 to cover managed services providers, the introduction of the National Security and Investment Act 2021 regulating various critical technology and infrastructure providers, and also more recently a call for views by UK Government (updated on 20 July 2022) in relation to security and resilience of data storage and processing infrastructure. This call for views explores potential security and resilience measures around critical infrastructure including data centres, in particular asking whether the UK Government should manage risks on a more harmonised basis. This call for views sets out possible options for regulation including:
- Continuity of service requirements - Legal measures stating organisations must have well defined, explicit and tested service continuity assurances and incident management plans.
- Security and resilience requirements - Legal measures to take appropriate and proportionate measures to identify and manage risks associated with security and resilience.
- Incident response, information sharing and cooperation requirements.
- Accountability at Board or Security Committee level on security and resilience.
- Security penetration testing – for government or third party competent authority powers to gain assurance in the security of systems.
- Government information gathering powers
The data storage and processing infrastructure initiative is a call for evidence and information at this stage, rather than draft legislation, it is further evidence of an increased interest across government, albeit perhaps not fully coordinated, to have regular dialogue with the sector and to manage cyber and systemic risk.
Are there equivalent plans at European level?
The EU has published its own draft regulation in this area, publishing on 24 September 2020 its Digital Operational Resilience Act (DORA). This creates the similar framework including considering bringing critical ICT third party providers including cloud service providers into the regulatory perimeter of the financial services regulators. This would include information seeking powers, inspection and information request powers. It is possible that some of the requests in relation to threat led penetration testing and calls for information in the UK Government data storage and processing call for views have originated from this draft.
The Supervisory Authority Discussion Paper – What does it say?
According to the supervisory authorities’ press release the discussion paper sets out potential measures for supervisory authorities’ use of powers to directly oversee the resilience of services that CTPs provide to the UK financial sector as follows:
Framework for identifying potential CTPs
CTPs would be formally designated by HM Treasury – see Identification of Potential CTPs below..
Minimum resilience standards for CTPs
A CTP will require to maintain minimum resilience standards applying to services that designated CTPs would provide to regulated firms and FMI firms. See Minimum resilience standards for CTPs below.
Framework for testing CTPs
There will be a framework for testing resilience of the material services that CTPs provide using a range of tools which would include scenario testing, sector-wide exercises, cyber resilience testing and skilled persons reviews of CTPs. As such, there will be no need for formal regulation as authorised businesses of the CTPs but a reasonably significant additional obligation of oversight which would require further resourcing and transparency in order to achieve the regulators’ stated aims. See A framework for Resilience Testing below.
Detailed provisions of the Discussion Paper
The discussion paper has five key sections. It is detailed. It is hoped that this will give significant amount of guidance to potential CTPs to evaluate the discussion paper in detail. As expected, the paper builds on previous operational resilience work the regulators have developed to date, so similar concepts of critical functions and mapping apply. It will be interesting to see if CTPs are able to adapt this to their own businesses, given the complexity of an IT infrastructure or IT services environment, and where financial services workloads may not be fully physically segregated from other workloads.
Why the regulators need additional measures to manage CTP systemic risk
While the supervisory authorities recognise that well-managed outsourcing and third-party arrangements can bring very significant benefits, including improved operational resilience, there are concerns that firms and FMIs are becoming increasingly dependent on certain third parties for services which are vital to the stability or confidence in the UK financial system. Despite the benefits that the CTPs can provide, regulators are aware of growing dependency on the CTPs, and a concentration risk, either through direct arrangements or indirectly through supply chain and other forms of interconnectedness. A concern is that a single point of failure could therefore arise affecting multiple firms and parts of the infrastructure by way of systemic risk. A particular concern noted by the Bank of England’s Financial Policy Committee (FPC) noted that “since the start of 2020 financial institutions have accelerated plans to scale up their reliance on the CTPs and in future place vital services on the cloud” (2.19 of report). This has triggered the requirement for additional policy measures to be considered”. There is an opportunity for questions to assess whether respondents agree with this analysis, and for additional factors to be considered.
Potential measures for CTPs
The regulators propose that the Treasury would have powers to designate parties as CTPs following consultation with the supervisory authorities. In paragraph 35, the Treasury designation of a CTP “would recognise the potential systemic impact that a disruption to its services could pose to the supervisory authorities’ objective including financial stability, marketing integrity or consumer protection”. This would not detract from firms’ individual responsibilities for managing risk.
CTPs would have to maintain minimum resilience standards to meet services and then operate according to the general operational resilience policy that has been developed to date, recognising that it is inevitable that disruption will occur. As such, designation of CTPs will not eliminate the risk of disruption but is intended to assess and strengthen the ability of critical CTPs to prevent, adapt to, respond to, recover from and learn from any disruption capable of having a systemic impact on the supervisory authorities’ objectives for the financial services sector.
Identification of potential CTPs
The paper recognises that there would not likely be many third parties designated as CTPs – in paragraph 4.3 the Regulator states it would comprise “a very small percentage of the total number of third parties providing services”. Criteria to be taken to account would be:
- the materiality of the services the third party provides - the delivery by firms and FMIs of activities, services or operations that are essential to the economy or financial stability of the UK (a materiality objective); and
- the number and type of firms and FMIs to which the third party provides services (a concentration objective). Materiality will in part be assessed by looking at their contribution to critical economic functions (see PRA SS19/13, Critical Functions for Recovery and Resolution and Important Business Services defined in the supervisory authorities’ operational resilience framework). These are clearly set out in the paper. There is a useful graphic in paragraph 4.36 setting out the potential factors relevant to CTP designation which provide a useful summary of the detailed provisions.
Minimum resilience standards for CTPs
Chapter 5 sets out initial thinking on a potential set of minimum resilience standards for CTPs. These would obviously be built on the operational resilience framework for firms and FMIs already created and appropriate global standards which are already in existence. CTPs would demonstrate compliance with the standards through resilience tests and sector-wide exercises which are contained in outline in the paper and also through regular (believed to be annual) attestations to the supervisory authorities. Supervisory authorities could develop a rating system for publication to promote to “promote clarity and consistency in their application”. The minimum resilience standards set out a life cycle of standards creation monitoring and improvement.
The paper is very clear that it wishes to evaluate CTPs against standard government and industry recognised certifications and standards which will already apply. These are listed in paragraph 5.31 including Cyber Essentials Plus, Germany’s cloud computing compliance controls catalogue (C5), US FedRAMP certification and IST cyber security framework, the ISO2700X series and similar controls. Hopefully this should reduce the amount of additional procedures that are required.
Consistent with other operational resilience initiatives, the guidance or regulatory requirements resulting from the paper will require CTPs to understand and engage their supply chain in the identification and monitoring of services. As such any resulting regulations will affect a significantly wider category of suppliers beyond the CTPs themselves. This could include data centres, infrastructure technology providers and telecommunications providers indirectly.
CTPs would be required to map the necessary resources. Including people, processes, technology, facilities and information. CTPs whose services rely on complex supply chains would have to ensure that their mapping captured the key supply chain (‘nth parties’) they rely on, and other key components of their supply chains. If applicable, CTPs could also identify any departments and individuals with specific responsibility for the delivery of relevant services to firms and FMIs (if applicable).” (paragraph 5.10).
A framework for Resilience Testing
Resilience testing will be based on a set and range of tools and exercises which will be mapped as suitable to each CTP and the authorities are at pains to highlight that this will not be “a one size fits all” approach. Resilience testing will also be included as well as sector-wide activities. Supervisory authorities consider that resilience testing “could be an effective proportionate and resource efficient means to gain assurance over the likely resilience of CTP services to firms and FMIs”. It is not clear exactly how the regulators will have the technical expertise to actively oversee these exercises but the procedural exercises and processes will have to be clearly defined and tested in order to provide objective information for testing the resources of the organisations. At this stage, there are no particular provisions stating what happens if an organisation fails these exercises or additional resources or controls are required, and if so, who will then pick up the cost of these rectifications.
Statutory powers over CTPs
The powers proposed for the regulators to supervise CTPs include the right for the supervisory authorities to:
- issue directions requiring a CTP to do or refrain from doing anything noted in the direction e.g. implementing recommendations, remediating vulnerabilities or suspending or imposing conditions or restrictions on the CTP’s ability to provide services;
- appoint a skilled person to provide a report on the CTP’s compliance including censure;
- impose conditions or limitations on the CTP providing services, and ultimately issuing a disqualification notice prohibiting it from entering into future agreements or from providing specific services.
There would need to be an investigation to establish whether the CTP had breached the applicable requirement in practice, and in this case there could be a significant delay between a vulnerability being noticed and any sanctions being issued.
There is nothing in the paper to date covering how a service could be migrated to an alternative provider if the CTP has to stop doing business with a firm or FMI, so exit management and proprietary IP issues will have to be addressed in firm and FMIs’ contracts and operational exit management and business continuity arrangements. The effort and risk required to decouple a CTP from a firm’s infrastructure both at a direct and indirect level of relationship may require further addressing in the consultation.
The paper does not also set out the actual resources that the Regulators would require for these powers but states that a proportionate and targeted exercise of the powers “could” help mitigate systemic risks posed by CTPs. The supervision could require a detailed understanding of the technical environments deployed.
It is evident that a significant amount of international coordination and standardisation will be required to give effect to these regulations. The proposed arrangements are however in many ways a logical extension of previous operational resilience measures, although they will add a further layer of cost and complexity to vendor negotiations and management. It will be interesting to see how many CTPs will become subject to the regime, and also many other vendors are drawn into the net at lower levels of the supply chain, as this is already an issue that is causing significant complexity in the interpretation and implementation of current outsourcings and vendor contracts.
The paper demonstrates increased government and regulator awareness of IT and cyber risk and it is to be hoped that the nearly 6 month consultation period will allow both potential CTPs, regulated firms and government to seek to identify some consensus both within financial services and for the wider UK economy as to who is best able to mitigate risk, and how to manage operational resilience, including service or service provider failure with the least possible unforeseen disruption.