SCC & VMware – Operational resilience: are you ready and compliant?

The last few years have been some of the most challenging for the financial services industry in recent memory. That’s because there have been so many headwinds to deal with simultaneously: the lingering impact of the pandemic, rising inflation and interest rates, slowing economies and much more.

All this is putting ever more pressure on businesses within the industry to maintain operational uptime, because the impact of any disruption can be especially severe. Even a relatively short period of important financial services being rendered unavailable can seriously inconvenience consumers, threaten market integrity, and damage the reputation and viability of a brand.

And yet, despite the importance of reliable service delivery, cybercrime is making it increasingly difficult to maintain. The pandemic in particular exposed the vulnerability the industry faces from sophisticated cybercriminals: according to VMware, attacks on the sector increased by 238% in the period between February and April 2020.

This has served to underline the need for operational resilience; even before the pandemic, the Financial Conduct Authority (FCA) was working on new policies in this area, and these came into force at the end of March 2022. In this blog, we’ll look at the need for operational resilience in the context of those regulations, and the technologies that can help you maintain maximum uptime and ensure compliance.

The FCA themselves define operational resilience as the ability for businesses within financial services to “prevent, adapt, respond to, recover, and learn from operational disruptions”. These disruptions are those that might hamper the ability to provide services, cause a monetary loss to the business, or that hinder the speed at which firms can respond to – and recover from – any incidents.

Having a good operational resilience framework in place means that you can mitigate risks, prevent harmful circumstances from having too much negative impact (or any negative impact at all), and minimise any downtime that may be caused. This way, you can not only protect your digital assets, funds and reputation, but also the financial and personal interests of your customers.

At this point in time, it’s vital that every financial services firm has an operational resilience framework that meets the new FCA regulations. These rules apply to a comprehensive range of organisations, including (and not necessarily limited to) banks, building societies, investment firms and exchanges, and enhanced-scope senior managers and certification regime firms.
The five main principles of the regulations are:

Impact tolerances and mapping: firms are required to set impact tolerances for important business services, which are those that could cause damage to clients or the UK’s financial system as a whole if disrupted. It’s then expected that firms ensure they remain within these tolerances, and notify both the FCA and Prudential Regulation Authority (PRA) if they exceed them.

Processes, systems and controls: in the FCA’s words, “sound, effective and comprehensive strategies, processes and systems” should be in place to enable proportionate operational resilience measures. Firms are expected to self-assess their compliance with operational resilience needs, and make the results of that assessment available if requested. Similarly, businesses need to develop and carry out planned testing of their ability to stay within impact tolerances.

Governance: boards are expected to have all the management information they need to make informed decisions with regards to operational resilience. Additionally, there should be clear designation of accountability in how operational resilience is managed, either through existing roles and groups, or by setting up new ones if needed.

Communication strategies: there should be plans for communications, both internal and external, that can minimise the impact of any operational disruption. These should give due consideration to vulnerable customers, as well as how information can be distributed to those where there is no direct line of communication possible.

Outsourcing: any provision of important business services by a third-party provider should also remain within predefined impact tolerances. The relationship between business and provider should also be thoroughly mapped, including the demarcation of any vulnerabilities, and assurances around the operational resilience of the third-party providers themselves.

It’s expected that financial services firms will strive to comply with these regulations as soon as possible, and by 31 March 2025 at the very latest. By then, all mapping and testing of impact tolerances should be completed, and any adjustments for staying within those tolerances should be made.

Protecting against cybercrime and data breaches will form a major part of remaining within the impact tolerances defined. This is where the combination VMware technology and SCC expertise can help, through:

Micro-segmentation: dividing data centre infrastructure into small zones, so that traffic flows between every workload can be controlled, meaning any adverse situations can be isolated and compartmentalised

Mapping: constructing a map of applications and flows, comprising application topology and communication flows between sub-components, so that the right micro-segmentation policies can be deployed

Distributed firewall: a Layer 7 firewall can ensure the granular enforcement of east-west traffic at scale, ensuring that malicious activity cannot easily spread throughout an application architecture

With these technologies in place, your organisation will be in a much better position to maintain operational resilience, protect the interest of your organisation and your customers, and stay compliant with FCA regulations in the long-term. To find out more, or to discuss your specific requirements, get in touch with the SCC team today.