Recently, RocketFin Consulting worked with UK Finance, Euroclear and leading banking institutions of the Operational Resilience Committee to rapidly create, execute and report on a major resilience exercise scenario. Under the UK OpRes Framework, the PRA requires industry-wide exercises with third parties:
"The increasing reliance on third parties, particularly for critical services and operations, poses risks to operational resilience that firms need to manage. Firms should be able to remain within their impact tolerances for important business services, regardless of whether the operational processes and functions supporting them are outsourced to third-party providers." Bank of England's Prudential Regulation Authority (PRA) statement on outsourcing and third-party risk management, published in March 2023.
Led by UK Finance’s leading resilience SME, Lorraine O’Donnell, the ORYX team provided an industry-wide, low cost, structured scenario exercise to improve operational resilience in the UK banking sector.
Working with the veteran team at Euroclear and with leading OpRes experts across London, the ORYX team drafted a cyber-attack scenario impacting a leading UK 3rd party financial market infrastructure. The cyber incident designed was an extreme but highly plausible event and evolved over the course of a ’scenario week’. Over 35 banks and 250 participants participated in the day-long event, including leading COOs, CISOs, OpRes leads and front-line business operation managers. Euroclear provided an in-depth symposium and support on the exercise day.
The ORYX exercise focused on five areas of focus for banks:
- Disconnection protocol: What does a bank need to disconnect services? Who makes the call?
- Market impact: What are the impacts on clients, market liquidity and UK systemic viability during a prolonged outage of a major FMI.
- Mitigation & substitutions: What actions can business teams take to mitigate specific risks? How can we avoid concentration risk for proposed substitution services?
- Reconnection protocol: What does management need to reconnect to a cyber-attacked FMI? How does a bank balance business needs, customer demand and cyber security? What does a CISO need to provide assurance?
- Recovery: After a prolonged outage, how do banks mitigate customer harm, minimise financial losses, and operationally reconcile accounts?
The ORYX Team drafted observations, findings, recommendation and actions.
Summary of Key Findings of ORYX 2024
- During a cyber-attack, management relies on a well-briefed CISO to determine continued connection with the FMI.
- The importance of full and transparent information about the cyber event and the impacts to FMI services was emphasised. There was consensus on the importance of the FMI being ‘front-and-centre’ of communications.
- Response teams were quick to rely on consensus-driven industry groups to determine communication, possible mitigation and open dialogue with the PRA on any responses
- Resulting impact from FMI non-availability was broad, with ramifications for market stability evolving rapidly as incident progressed.
- Participant firms expected to breach IToLs across settlement-related, lending and trading IBSs within 1-2 days.
- Many participants expressed a desire for high-level information to be shared by firms and relevant authorities as soon as possible in the event of uncertain resolution timelines, including consistent information, milestones or markers that could impact market response and stability i.e. a consensus trading throttle/halt.
- Firms explored a broad range of strategies for addressing the impacts of a prolonged outage; however, many measures available to firms would have little benefit, and that urgent intervention would be necessary to protect market stability, including emergency changes to trading rules, forbearance of regulatory obligations and emergency funding facilities.
- Banks stressed the “do no harm” credo in the event of a prolonged event, even if tolerances would be impacted, in order not to exacerbate the impact.
- Firms concurred that the FMI must lead on recovery planning due to their unique understanding of the critical mass required for recovery, taking into consideration market pressures and requirements.
The goal of the UK Finance ORYX Team is to improve members’ operational resilience by building best practice and providing industry-wide exercising.
The Bank of England’s Prudential Regulatory Authority welcomed the exercise, and stressed the importance of consensus communication, measuring impacts and regular industry-wide exercising to improve IToL calibration and recovery times.
RocketFin will continue to work with the leading vendors, FMIs, and the banking and insurance sectors to facilitating future FMI exercises.
If you have any questions, or want to talk about how your team can improve your operations resilience, please contact Nigel Knight at nigel.knight@rocketfin.co
Nigel has over 20 years experience within FMI, banking and insurance, focusing on risk and compliance.