Financial sector continuity

Overview

There is a central point of contact and information on business continuity and operational resilience for the UK financial sector. If you have a general financial sector continuity enquiry then you can contact us at FSCADMIN@bankofengland.gov.uk. In the event of an actual disruption individual firms should communicate with their normal business or supervisory contacts at the Bank or the FCA. 

In the event of major operational disruption to the financial system, our main objectives are:

• To keep retail and wholesale markets open and functioning, except if doing so would be a threat to financial stability. Specifically, we aim to keep payment and settlement systems open to complete the day’s business.
• If markets do not remain open, to ensure an orderly and early return to trading, for example by providing a single point of information and effective channels of communication and formulating an effective and coordinated response.  
• To involve relevant infrastructure providers and market participants when we make decisions affecting markets. 
• To be ready to facilitate market initiatives.

Operational resilience

‘Operational resilience’ is the ability of firms and the financial system as a whole to absorb and adapt to shocks, rather than contribute to them. 

It is important for maintaining financial stability and confidence in the UK banking system. Extending beyond business continuity and disaster recovery, firms must have plans in place to deliver essential services, no matter what the cause of the disruption. This includes man-made threats such as physical and cyber attacks, IT system outages and third-party supplier failure as well as natural hazards such as fire, flood, severe weather and pandemic flu.

As a central bank and as a regulator of financial organisations and financial market infrastructure, we have an important part to play in improving the resilience of the sector.

Governance around operational resilience

The operational resilience agenda is governed by a number of bodies, both inside and outside the Bank of England. The Bank’s Financial Policy Committee (FPC) looks at the cyber resilience of the system as a whole. Updates to the FPC’s priorities are published in the Financial Stability Reports. The Bank’s Prudential Regulation Committee and Financial Market Infrastructure (FMI) Board focus on the operational resilience of the firms and FMIs they regulate.

Our approach to operational resilience

We approach operational resilience in the same way as financial resilience: through supervising individual firms and financial market infrastructures and through engaging with sector forums, industry and international stakeholders to drive collective action.  

Our operational resilience strategy and programme has three elements:

Targeting the right things

This element of our programme is about deciding which firms and parts of the system are most critical to UK financial stability. This in turn helps to identify where we should focus our efforts and determine what our tolerance for operational disruption should be. 

We also keep up-to-date with the current threats to the finance sector and the sector’s vulnerabilities to those threats, so that we can determine the level of resilience required.

Building resilience

This includes setting out our expectations for the level of operational resilience we require of firms and developing our supervisory framework and tools for assessing operational resilience. Examples of such tools are the ‘Dear Chairman exercise’, which reviewed the technology and cyber resilience of the major retail deposit-takers in the UK, our cyber triage questionnaire and our CBEST threat-led assurance testing of cyber resilience to identify improvements required of firms.

The financial system is highly interconnected and many of the threats we face are global in nature. Therefore, another core part of our programme is cooperating with international partners such as the G7 and G20 countries. 

Response and exercising

The third element of our operational resilience programme involves responding to operational shocks when they occur. This requires the financial sector and authorities to have well-rehearsed contingency plans and incident response processes, which are critical for minimising impact and continuing to deliver essential services to an acceptable level during operational disruption.

The UK financial authorities (HM Treasury, the Bank of England and the Financial Conduct Authority) have a single mechanism to coordinate a response to incidents that have affected, or have the potential to affect, the financial sector. It now includes the National Cyber Security Centre (NCSC) and, when appropriate, the National Crime Agency (NCA) for cyber incidents.

We regularly exercise our response frameworks together with the sector to prove plans work and identify improvements. This includes testing of communication lines, coordination arrangements and decision-making processes. We have organised several market-wide exercises to rehearse the sector’s response to bomb threats, flu pandemic, severe weather and travel disruption and the Olympics. More recently we simulated and tested the industry’s response to an extended outage of the Bank’s real-time gross settlement system. Some of our exercises have led to the development of industry-owned resilience playbooks, which set out coordinated approaches to dealing with a particular scenario.

Given the increasing cyber threat, we have organised a series of cyber exercises to test the sector’s response to a large-scale cyber-attack. We have also organised a cyber exercise with the US to improve cooperation between the two countries.

Cyber resilience

Cyber attackers are a serious threat to the UK financial services sector. To protect the sector against this threat, we have developed the CBEST framework for testing firms’ cyber resilience. 

Cyber resilience testing

CBEST provides direction on how to conduct a safe yet realistic simulated attack on the people, processes and technology that comprise a firm’s cyber security controls.  The aim is not only to test a firm’s defences, but also its ability to detect and respond to a range of external attackers as well as people on the inside.

CBEST tests are carried out by accredited penetration test companies with an attack team that mimics the actions of skilled cyber attackers. Their aim is to penetrate defences and make their way, silently and stealthily, towards critical assets to a position where they could steal, corrupt or destroy their target.

To make the test as realistic as possible, it is intelligence led. An accredited threat intelligence company provides the penetration testers with intelligence on which cyber attackers present the greatest threat, how they might realistically attack the firm and what information about the firm is available online for attackers to exploit.

Cyber resilience assessments

For situations where we want to assess, at a high level, a firm’s cyber resilience capability, the PRA and FCA have created a questionnaire. CQUEST consists of multiple-choice questions covering all aspects of cyber resilience, such as:

• Does the firm have a board-approved cyber security strategy? 
• How does it identify and protect its critical assets? 
• How does it detect and respond to an incident, recover the business and learn from the experience? 

The answers provide a valuable snapshot of a firm’s cyber resilience capability, and highlight areas for further development.

Innovation and collaboration

To be effective in tackling the cyber threat, we need to work together across industry, financial authorities and government. To make this happen, we have established a strategic cyber forum which brings together a range of cyber resilience experts to share best practice and develop guidance for organisations. This includes monitoring cyber threats as they evolve, keeping abreast of new cyber security developments and building more capabilities to strengthen the resilience of the UK’s financial services sector.

Please see the National Archives for historic resilience information

The National Archives

For a list of CBEST accredited suppliers, please visit the CREST website.

CREST