Many U.K. financial firms don’t have a Plan B to fall back on if they’re hit by a cyber attack. The Bank of England wants to change that.
Financial regulators told firms to come up with a detailed plan for restoring services such as payments, lending and insurance after a disruption, and to invest in the staff and technology to make it work. The plan should include time limits on how long an outage could last.
“Boards and senior management should assume that individual systems and processes that support business services will be disrupted, and increase the focus on back-up plans, responses and recovery options,” the Bank of England and the Financial Conduct Authority said.
The discussion paper published on Thursday is part of the regulators’ effort to bolster the resilience of financial firms in response to a rising number of operational failures. The focus is on ensuring continuity of business services that are essential for the economy.
The regulators underlined the role that firms’ senior officials have to play in improving their ability to bounce back in a crisis. Thursday’s paper is intended to spark a debate with industry and consumers on how best to respond to inevitable disruptions.
Lyndon Nelson, deputy chief executive of the BOE’s Prudential Regulation Authority, said recently that firms need to be on a “WAR footing: withstand, absorb, recover.”
In addition to cyber attacks, the BOE and FCA said firms should be ready for disruptions caused by failed outsourcing and technological breakdowns.
The BOE has said it will stress-test banks’ recovery times in “severe but plausible” scenarios, and firms that fail will have to come up with fixes and get them approved by the supervisor. To guide lenders in their planning, the BOE will set a time limit after which a disruption of payments, insurance and other services would cause material economic impact.