The FCA, alongside the Bank of England and Prudential Regulation Authority, has published a joint discussion paper on the resilience of firms in the face of hackers and cyber-attacks.

The document said boards and senior management can achieve better operational resilience but sharpening their focus on setting, monitoring and testing impact tolerances for their key business services.

The FCA said the challenges for operational resilience had become “even more demanding given a hostile cyber environment and large scale technological changes.”

The regulator said: “As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions and consumers.

“An operational disruption such as one caused by a cyber-attack, failed outsourcing or technological change could impact financial stability by posing a risk to the supply of vital services on which the real economy depends, threaten the viability of individual firms and financial market infrastructures and cause harm to consumers and other market participants in the financial system.”

This discussion paper focused on how the provision of products and services can be maintained regardless of the cause of disruption.

It urged the need for firms and financial market infrastructures “to develop and improve response capabilities so that any wider impact of disruptive events is contained.

“The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response.” 

Motivating the approach were a number of important concepts, which included:

• focussing on the continuity of the most important business services as an essential component of managing operational resilience
• setting board-approved impact tolerances which quantify the level of disruption that could be tolerated; and
• planning on the assumption that disruption will occur as well as seeking to prevent it.

The discussion period ends on 5 October 2018.