Operational resiliency and cyber security challenges in financial services

The disruptions that affected all industries in 2020 will forever reshape the financial services industry. With such changes come regulatory and public policy challenges and concerns, which in 2021 will begin to inform the future, altering our view of the course to take. 

Here, from the KPMG report Ten key regulatory challenges of 2021, we share insights related to operational resiliency and cyber security.

Challenges

Recent events, including COVID-19, social unrest, severe market dislocation, and unprecedented governmental intervention, along with shifting regulatory focus and expanded cyber threats highlight the need to understand and plan for the possibility of multiple, converging tail events and their potential impacts on operational resilience. Additional attention and planning need to be placed on understanding how individual assets contribute to the ability of a financial services company to provide critical services on an end-to-end basis and what disruption anywhere along that value chain would mean to the firm’s continued ability to provide those critical services.

Shortcomings in legacy risk assessment frameworks have highlighted the need for enhancements to firms’ Resilience and Cybersecurity frameworks in order to effectively manage through these widespread events and keep pace with evolving regulatory focus and increasing vulnerability threats. Regulatory attention will focus on enhancements across traditional risk management areas of governance, operational risk, business continuity, third party risk, scenario analysis, information systems and cyber risk, and surveillance and reporting.

Common challenges in operational resilience posed by the current environment include:

Accountability for resilience: A lack of ownership for operational resilience at the level of senior management and Board of Directors has been observed. Service ownership and accountability are currently not well defined, and there are concerns about whether senior management and the Board are adequately equipped.

Service management and execution: There is a clear disconnect between the concept of an end-to-end service delivery model and the way businesses are currently managed. Organizations have multiple disconnected and/or redundant service, process, risk and control taxonomies. Also, international institutions often lack harmonization with and across legal entities.

Calibration of impact tolerances: Firms will be required to construct and test against service level impact tolerances. These tolerance statements are intended to articulate the tolerance of external stakeholders to service disruption and any associated harm where stakeholders may be clients, counterparties, or market participants. Impact tolerances can only ever be subjective and aggregate measures that serve as crude approximations of external harm.

Scope of resilience assessments: There is a gap between existing business continuity/ disaster recovery and incident management functions and a more recovery-centric framework that can be leveraged across end to end services.

Reporting, investment, and service enhancements: Senior management is rarely equipped with the breadth and depth of insights required. Many firms have not appropriately addressed the full universe of resilience risk.

Tooling and data requirements: Most organizations currently maintain multiple sources of data in varying degrees of detail, which results in significant data limitations particularly around loss data, events, and scenarios.

Third-party challenges: Challenges posed by third parties that impede resilience include inadequate tracking and managing of concentration risk and fourth-party risk, lack of transparency into the interdependencies between third parties across the value chain of financial products, narrowly focused or inappropriate disaster recovery and business continuity planning, and insufficient strategic vision when outsourcing business critical skills and functions.

Increased regulatory interest: Regulators are placing an increased emphasis on various aspects of operational resilience. To date, we’ve seen a piecemeal approach to individual aspects, with a primary emphasis on system resilience as opposed to business continuity planning.

Return to work: Uncertainty exists surrounding the return to the workplace approach and changes in ways of working. There is a need for an adaptable, risk-based approach to returning to work or adapting to an extended remote environment. It is also important to consider risks taken to accommodate widescale remote access or deployment of technology and that they are in line with the bank’s risk appetite and risk tolerance for disruption.

Testing and scenario analysis: There is a need for enhanced tabletop testing, scenarios, and simulation, which provide additional insight into tail events, and, in particular, multiple event sustained outage scenarios that can support future planning and preparation.

5 actions to take

1. Embed operational resilience as a key criterion across all management decisions and business activities.
2. Develop an approach in which the relative calibration of impact tolerances across services is emphasized over absolute one-time calibration and ongoing, long-term calibration across reporting cycles.
3. For critical business services, in addition to scenario execution and impact tolerances, consider assessing business as usual service resilience and service level assessments of all threat vectors.
4. Consider assessing cyber and enterprise risks quantitatively using the FAIR methodology based on frequency and loss magnitude. 
5. Risk assess and then revisit thresholds and permissions (high risk to low) to ensure appropriate thresholds have been set.

Top technology risks to manage

• Software development
• Obsolete technology
• Security of systems and data
• People and skills
• Third party technology and services
• Failed technology strategy
• Data quality and management
• Regulations and compliance