Elisabeth Stheeman, of the Bank of England’s Financial Policy Committee, recently gave a speech at the LSE on Cyber Risks and Operational Resilience. I took two main things from the speech. Firstly, Stheeman listed four key lessons from the 2022 cyber stress test, which I’ll come on to. Secondly, she gave me a quote, which I’ll be borrowing:
"Operational resilience is not a technical issue, especially for the infrastructure firms that need to act as ‘systemic risk managers’. It must begin in the boardroom." - Sir Jon Cunliffe (Deputy Governor for Financial Stability and Chair of the Bank of England’s Financial Market Infrastructure Board)
It is perhaps worth mentioning the context of the 2022 stress test: The Cyber scenario used was designed to test both the direct impacts and the indirect impacts. It was both a test of individual firms’ ability to withstand impact, and a test of potential impacts to financial stability should they fail. This indicates a direction of travel from regulators generally: we need to shift from proving we can withstand impact, towards assuming impact. We need to focus on how we deal with an impact and achieve continuity of critical services, by extraordinary means if necessary.
For this reason, we are increasingly using reverse stress testing methodologies, and Stheeman’s list of key lessons is helpful in shaping how we conduct resilience tests for financial institutions (and beyond).
- Contingency plans: Has there been proportionate investment in planning extraordinary measures (or workarounds). And do they work?
- Mitigation plans: Assuming they may not work, are there plans to reduce the impact of failure on customers, the institution and the wider sector?
- Decision-making: What is the quality of decision-making on the crisis management team, and how is decision-making coordinated across the sector and supply chains?
- Stakeholder communications: How effective, how consistent, and how fast can the crisis team communicate with the full range of stakeholders, across all channels?
The 2022 test scenario was based on the operational cyber risk but, while the cyber threat will continue to evolve and dominate, Stheeman stresses that operational resilience is not a technical issue (hence the quote). The connected, systemic nature of impact on financial services (and beyond) requires a systemic approach to response and recovery. Future systemic stress tests may well look at disrupted global supply chains, or the risk of concentration with critical third parties. Whatever the scenario, we’ll be applying our reverse stress test approach: Assume failure and focus on the impact.
