Sector Simulation Exercise: SIMEX 2018 Report

Foreword 

By Lyndon Nelson, Deputy CEO & Executive Director, Supervisory Risk Specialist and Regulatory Operations. Prudential Regulation Authority (PRA) and Stephen Jones, CEO UK Finance 

A sustained and widespread operational disruption is one of the most significant challenges faced by the UK Finance Sector. For many years the UK Financial Authorities¹ and the Sector have been testing our response in such events. Operational disruption can be triggered by a variety of causes. Last year we chose a prolonged and broad cyber attack. After many months of preparation, the 2018 sector wide exercise (SIMEX18) took place on 9 November 2018. 

Following the live simulation exercise day which took place in real-time, participants were also asked to complete an additional ‘slow time’ post exercise activity. This activity explored the challenges and impacts, to participant firms and the wider sector, resulting from a protracted operational outage of a Global Systemically Important Bank (GSIB). The events of the exercise day, including participant feedback, and findings from the post exercise assessment have been reviewed and summarised in this report. 

The exercise successfully rehearsed the work of the Cross Market Business Continuity Group (CMBCG) a key coordination group of the Sector and the Authorities. The exercise demonstrated the sector's ability to respond to a dynamic and challenging disruption scenario. We know from experience that effective communication with customers is vital in any disruption. SIMEX18 proved the sector's ability to co-ordinate collective external communications through the UK Finance incident management communications process. In doing so, the exercise demonstrated that improvements identified during the last sector exercise (SIMEX16) had been implemented, resulting in better co-ordination of external communications overall. It also proved once again the importance of the public and private sectors working together to deliver a continuous exercise programme, helping to drive improvement. 

The themes outlined in this report represent the feedback and views of participants, the exercise control team, financial authorities and industry. Recommendations made associated with the themes outline resilience improvements that will deliver value to the sector as a whole. The report does not include lessons learned or action plans for any specific participant organisation, it is expected that organisations will manage these post exercise activities internally. 

As with previous exercises, SIMEX18 was organised in close partnership with the sector. We are very aware of the resource commitment required to make these exercises a success and therefore would like to offer our thanks and appreciation to all those who contributed to its success. This commitment, of course, goes beyond the exercise itself and onto implementing the lessons learned. The goal being nothing less than the improved resilience of the UK finance sector to operational disruption. 

¹ Bank of England, including the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) and Her Majesty’s Treasury (HMT)

Exercise overview

SIMEX18 took place on 9 November 2018, and was completed as part of the Bank of England and PRA’s regular exercising strategy. 

Alongside the financial authorities², exercise participants were 29 of the most systemically important firms and financial market infrastructures (FMIs), who during the exercise day responded to a cyber attack scenario targeting the financial sector.

The scenario was designed to test:

• The effectiveness of the sector response framework in enabling coordinated response to a cyber attack, and,
• The effectiveness of the UK Finance (financial sector trade body) communications process for developing a sector communications strategy.

Participants took part remotely and came together on incident management conference calls to discuss key impacts, issues and contingency options.

The scenario centered on a significant cyber attack, of increasing intensity, which simulated multi-day disruption to markets and firm operations. Following the end of the ‘live’ exercise day, participants were also required to complete a written submission (‘slow time’ post exercise activity) which outlined how they would respond to a protracted operational outage of a Global Systemically Important Bank (GSIB).

² Bank of England & PRA, Financial Conduct Authority and HM Treasury

Key findings and recommendations

Following the exercise and review of the participant submissions, the following key findings were identified with related recommendations:

• Opportunities to improve the way firms coordinate – participants agreed that impacts and responses were coordinated and discussed effectively at the strategic level. However improvements could be made at an operational level. 
  
  To address this, a review of the sector response framework will be undertaken to ensure that the sector can communicate and co-ordinate  at an operational level during a crisis. In addition the Finance Sector Cyber Collaboration Centre (FSCCC) will also be integrated into the response framework to ensure the technical coordination capability it provides is incorporated into the broader response landscape.
  
  
• Disparity in risk tolerance for suspending services – in the case of system integrity issues, participant decision making, and risk appetite for suspending services varied significantly. It is recognised that these differences may have significant knock-on effects to the market and real economy as a whole.
  
  Future work will focus on the production of industry guidelines and good practice for managing potential controlled suspension of services and system integrity risks.
  
  
• Restoring data and recovering service – currently the ability of participants to support another operationally paralysed bank is constrained by the different ways in which data is stored. This restricts how contingencies could be used for the benefit of the sector as a whole. 
  
  To improve response capability, work will be completed to scope the technical, and data requirements for providing services via alternative channels. This will be followed by a strategy paper and playbook to support coordination of this contingency during a live incident.
  
  
• Communication practices – the exercise recognised the importance of effective communications in maintaining customer and market confidence in the system. It demonstrated that use of UK Finance’s incident management communications framework and coordination has significantly improved collective communications, with public lines developed in under an hour. 
  
  To improve consistency and clarity of often complex technical messaging future work will focus on the production of industry guidelines on good incident communications practices and consistent definition and use of terminology.

Conclusions

The financial authorities, in partnership with financial sector firms, will now act on the recommendations that were made following the exercise and work to deliver improvements to the resilience and response capability of the Finance Sector. Delivery against these recommendations has already been initiated and is planned to continue into 2020.

We would like to extend our thanks to all those individuals and participant firms who engaged with the authorities as part of SIMEX18, and we look forward to working with you again as part of future exercising activity.