31 DECEMBER 2023
HONG KONG
HKMA: Completion of Phased Implementation of CRAF under CFI 2.0
2022
2021
2020
2019
2018
2017
VIEW TIMELINE
Operational resilience is the next phase in the evolution of financial services regulatory policy. Operational resilience is the ability to “prevent, adapt, respond to, recover and learn from operational disruptions.” Regulators’ expectations are increasing – but it’s an evolution rather than a revolution; firms – more specifically firms’ senior managers – must “join the dots” across a range of practical risk management and governance activities. In an increasingly digitalised and complex world, disruption is inevitable and will affect the whole of the operation –financial, people, regulatory, structures, and systems. To strengthen operational resilience, firms must prepare and mitigate for the impacts of future incidents. Building a framework that incorporates tolerances for internal and external triggers is fundamental to an efficient and sustainable business that can respond quickly to risks and pursue opportunities. To help you stay up to date, we have created this interactive timeline of global standards and key regulatory milestones across the UK, EU, Hong Kong and Singapore. Over the coming months, more financial centres will be added, so bookmark this page for easy access.
Contents
The elements of approaching operational resilience
Operational resilience is defined in quite broad terms, with a focus on outcomes and an expectation around responsiveness and time. As UK regulators put it in December 2019, it is a firm’s ability to “prevent, adapt, respond to, recover and learn from operational disruptions.” The Basel Committee adds further detail, describing an operationally resilient firm (or more specifically, a bank) as one that can:
At the most basic level, operational resilience means an organisation can get back up after it has fallen over and is more likely to survive once the storm has passed.
Operational resilience concerns the whole of the operation – a firm’s financial resilience, the resilience of its governance and people, regulatory resilience, the resilience of its structures, and systems and security resilience (both physical and cyber). It is an evolution rather than a revolution; firms – or more specifically, firms’ senior managers – must “join the dots” across a range of risk management and governance activities. It can be helpful at a conceptual level to identify five elements of a holistic operational resilience framework:
Financial resilience – capital, liquidity, prudence People resilience – governance, accountability, culture Structural resilience – clarity of operational and legal structures Regulatory resilience – maintaining regulatory compliance and flexibility to respond to evolving regulatory expectations Systems resilience – cyber and data security, including the ‘in the ether’ elements and the physical security of, for example, the premises of data centres and servers
identify and protect itself from threats and potential failures; respond and adapt quickly to a particular crisis or disruption; minimise impact on the delivery of critical operations; and maintain a sound business environment outside of the crisis.
The road ahead won’t come without its challenges as banks continue to navigate the rapidly changing landscape. Executives and managers cited the ability to create a digital culture and mindset (39%) as the greatest challenge to digital transformation for banks. Banks will need to identify ways in which they can overcome this challenge in a fast paced environment as this will require implementing long-term behavioural change rather than a rapid technology-based solution.
Financial resilience
People resilience
Structural resilience
Regulatory resilience
“Regulations grow at the same rate as weeds,” is a quote attributed to Norman Ralph Augustine US aerospace businessman and statesman. The financial services industry has certainly experienced an increase in regulatory change in the past 20 years. As the events which led up to the 2007/08 financial crisis gained pace, the banking sector was preoccupied with the implementation of the 2004 Basel Accord on bank capital standards, broadly known as Basel 2. In the wake of the financial crisis, the industry spoke of the “regulatory tsunami” which it faced as policy makers scrambled to address the shortcomings which the crisis laid bare. Part of that regulatory tsunami was Basel 3, the 2010 successor to the pre-crisis accord. Basel 3 represented the cutting edge of collective regulatory policy making, but almost at the same time that regulators started working on it, the currents which would drive further, significant regulatory changes were swirling (almost) unnoticed as the domain name bitcoin.org was quietly registered in August 2008. In 2020, many regulators put planned interventions on temporary hold as they juggled an unexpected pandemic and unprecedented public policy interventions. Moving into 2021 and with some reprioritisation underway, regulators are turning back to their pre-coronavirus agendas, including to respond to the impact which technology – including distributed ledger technology (DLT), cloud computing and machine learning – are having on financial services.
The direction of travel is clear – regulation and regulatory expectations will continue to grow, evolve and develop. It is not enough to simply keep pace with regulatory change; firms need to help shape the agenda. Those firms which can embed how they contribute to regulatory policy debates and engage with policymakers into how they make strategic decisions about running their business are more likely to thrive. There is a potential leadership and reputational dividend to be had from setting a good example in the regulated community. Herbert Smith Freehills’ regulatory credentials are best in class. Our people have deep insights into the regulatory agenda and regulatory policy making, gained from years spent in both the public sectors and in business. Our team offers a diversity of experience and perspectives which clients value. We gather insights from across our global footprint to inform our engagement with clients at a local and regional level, and we draw expertise from across our practice areas to offer the most valuable strategic insights for our clients.
Systems resilience
SHARE
EMAIL
DOWNLOAD PDF
HKMA originally introduced its Cybersecurity Fortification Initiative (CFI) in 2016. HKMA announced the launch of an updated CFI 2.0 on 3 November 2020. CFI 2.0 came into effect on 1 January 2021 and applies to all authorised institutions (AIs). CFI 2.0 consists of 3 pillars: 1. Cyber Resilience Assessment Framework (C-RAF) – a self-assessment framework involving inherent risk assessment, maturity assessment, and intelligence-led cyber attack simulation testing (CAST) – AIs are divided into groups for a phased implementation up to the end of December 2023; 2. Professional Development Programme (PDP); and 3. Cyber Intelligence Sharing Platform (CISP).
READ MORE
2023
Timeline
PARTNER
MADRID
+34 91 423 41 17
Email
LEOPOLDO GONZÁLEZ-ECHENIQUE
LinkedIn
Profile
SINGAPORE
+65 6868 9805
Natalie Curtis
SYDNEY
+61 2 9322 4444
Charlotte Henry
+61 2 9225 5903
LUKE HASTINGS
NEW YORK
+1 917 542 7809
JOHN O'DONNELL
LONDON
+44 20 7466 7560
ANDREW PROCTER
REGULATORY CONSULTANT
+44 20 7466 7494
Cat Dankos
+852 2101 4133
HANNAH CASSIDY
MORE ON OPERATIONAL RESILIENCE
Respond, Enhance, Thrive
OPERATIONAL RESILIENCE
Operational resilience is the next phase in the evolution of financial services regulatory policy. Operational resilience is the ability to “prevent, adapt, respond to, recover and learn from operational disruptions.”
Regulators’ expectations are increasing – but it’s an evolution rather than a revolution; firms – more specifically firms’ senior managers – must “join the dots” across a range of practical risk management and governance activities. In an increasingly digitalised and complex world, disruption is inevitable and will affect the whole of the operation –financial, people, regulatory, structures, and systems. To strengthen operational resilience, firms must prepare and mitigate for the impacts of future incidents. Building a framework that incorporates tolerances for internal and external triggers is fundamental to an efficient and sustainable business that can respond quickly to risks and pursue opportunities. To help you stay up to date, we have created this interactive timeline of global standards and key regulatory milestones across the UK, EU, Hong Kong and Singapore. Over the coming months, more financial centres will be added, so bookmark this page for easy access.
The notion of financial resilience is very familiar. At a very basic level, financial resilience is that the firm has enough capital and the right type of capital to operate sustainably for the long term. There are a raft of regulatory measures and interventions which speak to financial resilience. International bodies such as the Basel Committee on Banking Supervision (BCBS), the International Organisation of Securities Commissions (IOSCO), and the International Association of Insurance Supervisors (IAIS) set global standards. Financial resilience regulatory policy may feel so conceptually well-developed as to virtually ‘go without saying’ in the context of operational resilience. However, financial resilience is fundamental; it is the bedrock of operational resilience. It is notable that a significant element of the response to the 2007/08 financial crisis was the recognition of a gap in oversight of the financial stability of the financial system as a whole.
Over and above regulatory compliance, calibrating financial resilience is a matter for firms and is multi-faceted. It is not simply a concept of having enough capital, but also of having the right kind of capital, the right mix of capital, and more. This calibration becomes ever more complex in an environment which poses increasingly sophisticated and nuanced challenges to firms’ leadership, particularly as a result of technological developments. Take virtual currencies, for example. The question is not simply a “yes or no” – it’s a “if and when”, “how much”, and “do we want to be a market leader or ‘in the peloton’”? At Herbert Smith Freehills, we understand these complexities; we know how responsibility and accountability rests with firms’ leadership. We work with you to ensure your approach to operational resilience meets not just regulatory expectations, but also the expectations of your customers, your people, your community, your stakeholders and partners, building on the foundations to deliver a sustainable and long-term business.
“People resilience” concerns a key moving part of the operational resilience landscape. We have identified operational resilience as an evolution rather than a revolution. The people of an organisation are its major intelligence asset. Staff will identify changes in the operating environment early, from nuances in regulatory change to shifts in client behaviour. It is people that can identify the patterns and linkages which can advance an organisation’s operational resilience. It is an organisation’s people that, properly incentivised, can drive and ensure resilience. The financial crisis of 2007/08 highlighted a number of shortcomings in how the financial sector approached its people. For example, regulatory regimes were insufficiently robust on matters of personal accountability – this gap has been addressed in a number jurisdictions, from the UK’s Senior Managers and Certification Regime (SM&CR) through to the Hong Kong Manager-in- Charge regime to the Australian Banking Executive Accountability Regime (BEAR). Further development in this space is underway in a number of major financial services hubs, and it will continue to be a focus for regulators over the coming years.
Another area of focus has been on culture. It is acknowledged that culture does not easily lend itself to regulation or legislation; instead regulators have focused on mandating standards in respect of particular activities which may have an impact on culture, such as whistleblowing. But it is generally accepted that a good and open culture has a positive impact on business sustainability, on productivity, and on outcomes. Herbert Smith Freehills has worked with global financial institutions on governance, accountability and culture. We understand both the regulatory requirements and expectations, and the outcomes which will help drive long term sustainability. We know how important people are to a firm’s ability to thrive, from those in leadership roles making strategic decisions, to those on the business frontline, to those in the back office teams that keep everything moving.
The US Volcker Rule, the EU Liikanen Report, and the UK’s Independent Commission on Banking all addressed a concern about the structures of banks, particularly the universal banking model. At the most basic level, this concern is that the structure of banks – and of financial firms more generally – is not sufficiently clear to facilitate sensible, prudent management and informed, effective regulatory oversight. A number of regulatory initiatives have sought to address this deep-seated fear. These include recovery and resolution initiatives, which while initially focused on banks have moved to encompass financial market infrastructures. They also include how regulators approach supervision of firms –entities in jurisdictions which have supervisory regimes disposed to regular constructive engagement are required to regularly explain to their supervisors the structure of their business. Firms have internal organisation charts, business plans and detailed legal entity mapping. A substantial section of annual reports and accounts are also dedicated to explaining the structure of the business to investors. In a heavily regulated sector such as financial services, firms are responsible for ensuring that licences and permissions attached to legal entities are appropriate for the business being conducted.
In Hong Kong, for example, firms should ensure that new business activities do not breach any conditions imposed on an entity’s licence or, for those firms with unconditional licences, they should still consider whether any new activities fall within the scope of the business plan originally submitted to the Securities and Futures Commission (SFC) and, if not, they should notify the SFC. In the UK, the Financial Conduct Authority (FCA) is taking a ‘use it or lose it’ approach to regulatory permissions – permissions not utilised for at least 12 months should be rescinded. Furthermore, failing to have the right permissions in the UK may call into question the firm’s compliance with threshold conditions for authorisation and individuals’ compliance with their responsibilities under the UK Senior Managers & Certification Regime (SM&CR). Herbert Smith Freehills has extensive experience working across a range of businesses, from large established international banks, investment firms and insurers to new market entrants. Across borders or within local markets, from the traditional to the novel and innovative, Herbert Smith Freehills has a proven track record; we work in step with our clients to efficiently and effectively achieve optimum outcomes for the business, its clients, and regulators .
Regulatory and industry thinking around systems resilience is well-developed. Disaster recovery and business continuity planning are well-established disciplines which have provided a solid base on which to build the specialist areas of cyber resilience, information security and data protection. There is an irrefutably strong business case for striving beyond regulatory expectations when it comes to ensuring systems resilience; from safeguarding the physical security of data servers to protecting information held in the cloud. The regulatory enforcement and censures which would arise from getting it wrong are only part of the argument; the impact of significant loss events arising from, for example a ransomware attack, go far above and beyond a regulatory fine.
The regulators’ agendas on operational resilience find solid ground on systems resilience. Regulators acknowledge that they need more skilled resources to conduct robust supervision of new technologies, but the underlying policy principles have not significantly changed. The principles applicable to outsourcing arrangements that were defined a decade or more ago and contemplated a more ‘bricks and mortar’ arrangement, are those which underscore the more recent guidelines and rules on outsourcing to cloud. While there is some tailoring, the over-arching mantra of “technology neutral” is still clung to by regulators in many major financial services hubs. Herbert Smith Freehills offers our clients perspective – we have seen where the regulators are coming from and where they are headed. We closely track and help shape the regulatory agenda, applying our insights drawn from experts in financial services law and regulation, technology, data and intellectual property.
The notion of financial resilience is very familiar. At a basic level, financial resilience is that the firm has enough capital and the right type of capital to operate sustainably for the long term. However, it is notable that a significant element of the response to the 2007/08 financial crisis was the recognition of a gap in oversight of the financial stability of the financial system as a whole. Fast forward to today and financial resilience policy is well-developed with a raft of regulatory measures and interventions. International bodies such as the Basel Committee on Banking Supervision (BCBS), the International Organisation of Securities Commissions (IOSCO), and the International Association of Insurance Supervisors (IAIS) set global standards to help firm’s achieve robust operational resilience practices
Over and above regulatory compliance, calibrating financial resilience is a matter for individual firms and is multi-faceted. It is not simply a concept of having enough capital, but also of having the right kind of capital, the right mix of capital, and more. This calibration becomes ever more complex in an environment which poses increasingly sophisticated and nuanced challenges to firms’ leadership, particularly as a result of technological developments. Take virtual currencies, for example. The question is not simply a “yes or no” – it’s a “if and when”, “how much”, and “do we want to be a market leader or ‘in the peloton’”? Our experts understand these complexities and know how responsibility and accountability rests with firms’ leadership. We work with you to ensure your approach to operational resilience meets not just regulatory expectations, but also the expectations of your customers, your people, your community, your stakeholders and partners, building on the foundations to deliver a sustainable and long-term business.
It is an organisation’s people that, if properly incentivised, can drive, ensure and advance operational resilience. People are a major intelligence asset. - They can identify changes in the operating environment early, from nuances in regulatory change to shifts in client behaviour and can identify the patterns and linkages to make improvements. The financial crisis of 2007/08 highlighted a number of shortcomings in how the financial sector approached its people. For example, regulatory regimes were insufficiently robust on matters of personal accountability – this gap has been addressed in a number jurisdictions, from the UK’s Senior Managers and Certification Regime (SM&CR) through to the Hong Kong Manager-in- Charge regime to the Australian Banking Executive Accountability Regime (BEAR). Further development in this space is underway in a number of major financial services hubs, and it will continue to be a focus for regulators over the coming years.
Another area of focus has been on culture. It is acknowledged that culture does not easily lend itself to regulation or legislation; instead regulators have focused on mandating standards in respect of particular activities which may have an impact on culture, such as whistleblowing. But it is generally accepted that a good and open culture has a positive impact on business sustainability, on productivity, and on outcomes. We have worked with global financial institutions on governance, accountability and culture. We understand both the regulatory requirements and expectations, and the outcomes which will help drive long term sustainability. We know how important people are to a firm’s ability to thrive, from those in leadership roles making strategic decisions, to those on the business frontline, to those in the back office teams that keep everything moving.
The US Volcker Rule, the EU Liikanen Report, and the UK’s Independent Commission on Banking all addressed a concern about the structures of banks, particularly the universal banking model. The concern is that the structure of banks – and of financial firms more generally – is not sufficiently clear to facilitate sensible, prudent management and informed, effective regulatory oversight. A number of regulatory initiatives have sought to address this, including recovery and resolution initiatives, which while initially focused on banks have moved to encompass financial market infrastructures. They also include how regulators approach supervision of firms – entities in jurisdictions which have supervisory regimes disposed to regular constructive engagement are required to regularly explain to their supervisors the structure of their business. This has resulted in firms creating internal organisation charts, business plans and detailed legal entity mapping. A substantial section of annual reports and accounts are also dedicated to explaining the structure of the business to investors. In a heavily regulated sector such as financial services, firms are responsible for ensuring that licences and permissions attached to legal entities are appropriate for the business being conducted.
In Hong Kong, for example, firms should ensure that new business activities do not breach any conditions imposed on an entity’s licence or, for those firms with unconditional licences, they should still consider whether any new activities fall within the scope of the business plan originally submitted to the Securities and Futures Commission (SFC) and, if not, they should notify the SFC. In the UK, the Financial Conduct Authority (FCA) is taking a ‘use it or lose it’ approach to regulatory permissions – permissions not utilised for at least 12 months should be rescinded. Furthermore, failing to have the right permissions in the UK may call into question the firm’s compliance with threshold conditions for authorisation and individuals’ compliance with their responsibilities under the UK Senior Managers & Certification Regime (SM&CR). Our team has extensive experience working across a range of businesses, from large established international banks, investment firms and insurers to new market entrants. Across borders or within local markets, from the traditional to the novel and innovative, we have a proven track record of working in step with our clients to efficiently and effectively achieve optimum outcomes for the business, its clients, and regulators.
The regulators’ agendas on operational resilience find solid ground on systems resilience. Regulators acknowledge that they need more skilled resources to conduct robust supervision of new technologies, but the underlying policy principles have not significantly changed. The principles applicable to outsourcing arrangements that were defined a decade or more ago and contemplated a more ‘bricks and mortar’ arrangement, are those which underscore the more recent guidelines and rules on outsourcing to cloud. While there is some tailoring, the over-arching mantra of “technology neutral” is still clung to by regulators in many major financial services hubs. We offer our clients perspective – we have seen where the regulators are coming from and where they are headed. We closely track and help shape the regulatory agenda, applying our insights drawn from experts in financial services law and regulation, technology, data and intellectual property.
2025
2024
31 MAY 2023
HKMA: Initial operational resilience deadline
In May 2022, the Hong Kong Monetary Authority (HKMA) finalised its new Supervisory Policy Manual (SPM) module OR-2 Operational Resilience and revised SPM module TM-G-2 Business Continuity Planning. The modules implement the Basel Committee on Banking Supervision’s (BCBS's) Principles for Operational Resilience (POR) issued in March 2021. HKMA expects every authorised institution to have: -developed its operational resilience framework and determined the timeline by which it will become operationally resilient within one year after module OR-2 module is issued (ie, by 31 May 2023); and -become operationally resilient as soon as their circumstances allow and no later than three years after the initial one-year planning period (ie, by 31 May 2026).
2026
UK
FCA, PRA & BoE: Consultion on CTPs providing services to the UK financial sector
6 JANUARY 2023
GLOBAL
IAIS: Deadline for response to consultation on operational resilience in insurance
28 FEBRUARY 2023
EU
EIOPA: Deadline for response to discussion paper on insurance stress testing - cyber focus
The UK financial services regulators published Discussion Paper 22/3 - Operational resilience: Critical third parties (CTPs) to the UK financial sector in July 2022. The DP sets how the regulators could use the powers proposed under the Financial Services and Markets Bill (FSM Bill), covering: the identification of CTPs for designation; minimum resilience standards, which would apply to the services provided to the finanical sector; and a framework for testing the resilience of material services that CTPs provide. Comments were requested by 23 December 2022. A consultation paper (CP) will follow in 2023, subject to the progress of the FSM Bill through Parliament.
In October 2022, the International Association of Insurance Supervisors (IAIS) published a consultation on issues impacting operational resilience in the insurance sector. The paper addresses three specific operational resilience sub-topics that are considered significant and to be increasing operational risk, these are: cyber resilience; third-party outsourcing; and business continuity management. Feedback was requested by 6 January 2023.
In November 2022, the European Insurance and Occupational Pensions Authority (EIOPA) published a discussion paper on methodological principles of insurance stress testing with a focus on cyber risk. EIOPA aims at laying the groundwork for an assessment of insurers’ resilience under severe but plausible cyber incident scenarios. The paper elaborates on two main aspects: - cyber resilience, understood as the capability of an insurance undertaking to sustain the financial impact of an adverse cyber event; and - cyber underwriting risk, understood as the capability of an insurance undertaking to sustain – from a capital and solvency perspective – the financial impact of an extreme but plausible adverse cyber scenario affecting underwritten business. Feedback was requested by 28 February 2023.
31 December 2022
EIOPA: Deadline for in-scope firms to have reviewed existing arrangements to ensure compliance with Final Guidelines on Outsourcing to Cloud Service Providers
EIOPA has published final guidelines on outsourcing to cloud service providers. The aim of these is to: (a) provide clarification and transparency to market participants avoiding potential regulatory arbitrages; and (b) foster supervisory convergence regarding the expectations and processes applicable in relation to cloud outsourcing. The date of application is 1 January 2021; in-scope firms have until 31 December 2022 to review existing arrangements.
31 March 2022
BoE, FCA and PRA: Implementation of operational resilience requirements
31 DECEMBER 2022
ESMA: Compliance Deadline for Guidelines on Outsourcing to CSPs
The European Securities and Markets Authority has published the final report on Guidelines on Outsourcing to Cloud Service Providers (CSPs). The guidelines take into account related guidelines by the European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority (EIOPA), and the proposal for a Digital Operational Resilience regulation (DORA). The guidelines cover: • risk assessment and due diligence; • the governance, organisational and control frameworks; • exit arrangements; • the contractual elements to be included in agreements; and • notification requirements.
The UK regulators – the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) – published their final policy on operational resilience at the end of March 2021. There is a one-year implementation period to 31 March 2022. This will be followed by a three-year transitional period ending on 31 March 2025. As part of the operational resilience package, the PRA has also published final rules on outsourcing and third party risk management.
MORE INSIGHT
The direction of travel is clear – regulation and regulatory expectations will continue to grow, evolve and develop. It is not enough to simply keep pace with regulatory change; firms need to help shape the agenda. Those firms which can embed how they contribute to regulatory policy debates and engage with policymakers into how they make strategic decisions about running their business are more likely to thrive. There is a potential leadership and reputational dividend to be had from setting a good example in the regulated community. Our regulatory credentials are best in class. Our people have deep insights into the regulatory agenda and regulatory policy making, gained from years spent in both the public sectors and in business. Our team offers a diversity of experience and perspectives which clients value. We gather insights from across our global footprint to inform our engagement with clients at a local and regional level, and we draw expertise from across our practice areas to offer the most valuable strategic insights for our clients.
25 JANUARY 2022
HKMA: Regtech Adoption Practice Guide on cyber risk management
31 MARCH 2022
PRA: Compliance with outsourcing and third party risk management requirements for arrangements entered into on/after 31 Mar 2021
As part of the wider UK authorities’ operational resilience package, the Prudential Regulation Authority (PRA) has published final rules on outsourcing and third party risk management. Outsourcing arrangements entered into on or after 31 March 2021 should meet the expectations by 31 March 2022. Firms should seek to review and update legacy outsourcing agreements entered into before 31 March 2021 at the first appropriate contractual renewal or revision point as soon as possible on or after 31 March 2022.
1 January 2022
EBA: Application of final guidelines on major incident reporting under PSD2
AUS
APRA: Consultation on operational resilience
The European Banking Authority (EBA) revised its guidelines on major incident reporting under the Payment Services Directive (PSD2) in June 2021. The revised guidelines optimise and simplify the reporting process and templates; focus on incidents with significant impact on payment service providers (PSPs); and improve the meaningfulness of the information to be reported. The guidelines apply from 1 January 2022.
The Australian Prudential Regulation Authority (APRA) updated its schedule of policy priorities for the remainder of 2021 in September 2021. Under the revised schedule, several policy releases originally scheduled for 2021 were deferred. APRA indicated that it will consult on operational resilience standards in 2022; standards are expected to be effective in 2024.
12 JanUARY 2022
PRA: Supervisory priorities for 2022
13 JANUARY 2022
IOSCO: Consultation on operational resilience of trading venues and market intermediaries during Covid-19
14 JanUARY 2022
PRA: Response deadline consultation on operational resilience and operational continuity in resolution
26 JanUARY 2022
HKMA: Priorities for 2022
27 JANUARY 2022
ESRB: Recommendation to establish a pan-European systemic cyber incident coordination framework
31 JANUARY 2022
ESAs: Response to European Commisson call for advice on digital finance - value chains, platformisation, and mixed activity groups
1 FEBRUARY 2022
APRA: Policy and supervisory priorities for 2022
4 FEBRUARY 2022
HKMA: Deadline for responses to consultation on new SPM module OR-2 'Operational Resilience' and revisions to modules OR-1 'Operational Risk Management' and TM-G-2 'Business Continuity Planning'
8 FEBRUARY 2022
MAS: Guidance on non-face-to-face customer due diligence measures
18 FEBRUARY 2022
SFC: Reminder to licensed corporations to review their BCP planning
14 MARCH 2022
IOSCO: Response deadline - Consultation on operational resilience of trading venues and market intermediaries during Covid-19
The Prudential Regulation Authority (PRA) has written to CEOs of PRA-regulated insurance firms, UK deposit takers, and international banls active in the UK to set out supervisory priorities for 2022. Included among those priorities is continuing work to enhance the operational resilience of the financial sector.
The International Organization of Securities Commissions (IOSCO) has published a consultation report on the operational resilience of trading venues and market intermediaries during Covid-19. In the report, IOSCO describes the impact of Covid-19 and concludes that trading venues and market intermediaries largely proved to be operationally resilient, continuing to serve their clients and the broader economy. However, this period also highlighted opportunities to learn lessons on how to further improve the operational resilience of these entities. As such, IOSCO invites feedback by 14 March 2022.
The Prudential Regulation Authority (PRA) published a consultation paper on operational resilience and operational continuity in resolution (CP21/21). The consultation sets out the PRA's proposals to apply the group provisions in the Operational Resilience Part of the PRA Rulebook relevant to Capital Requirements Regulation (CRR) firms to holding companies, and to make other minor formatting and clarification amendments to the Operational Resilience and Operational Continuity Parts of the PRA Rulebook. The PRA proposes that the implementation date for the changes resulting from CP21/21 would be: 31 March 2022 for Operational Resilience; and 1 January 2023 for Operational Continuity in Resolution. Responses are requested by 14 January 2022.
The Hong Kong Monetary Authority (HKMA) has published the fifth issue of its Regtech Adoption Practice Guide, focusing on regtech solutions in the area of cyber risk management. The topics covered include: - key challenges faced by Hong Kong-based banks in relation to cyber risk management, and the benefits and key considerations when adopting cyber risk management regtech solutions; - practical implementation guidance to banks on the implementation of cyber risk management regtech solutions; and - use cases on the adoption of cyber risk management solutions, including key learnings from successful cyber risk management implementation from the perspectives of both the bank and the regtech provider.
The Hong Kong Monetary Authority's (HKMA's) Deputy Chief Executive, Mr Arthur Yuen, delivered a presentation on the HKMA's 2021 year-end review and priorities for 2022 for the Hong Kong banking sector. Among the HKMA's prioriites for 2022 are enhancing operational and cyber resilience amid growing digitalisation including the implementation of the new Supervisory Policy Manual module on operational resilience, review of authorised institutions' hybrid working arrangements and providing guidance on cloud computing.
The European Systemic Risk Board (ESRB) has published a Recommendation for the establishment of a pan-European systemic cyber incident coordination framework (EU-SCICF). The ESRB proposes that the EU-SCICF would play a key role in coordination among financial and other authorities in the EU, as well as assisting with international coordination. It would work with the existing EU cyber incident response frameworks, with a focus on financial stability risks arising from cyber incidents.
The European Supervisory Authorities (ESAs) - EBA, EIOPA and ESMA - have published their joint response to the European Commission's February 2021 Call for Advice. This response covers the Commission's request in relation to the regulation and supervision of more fragmented or non-integrated value chains, platforms and bundling of various financial services, and risks of groups combining different activities. In the response, the ESAs, while welcoming the proposed Digital Operational Resilience Act (DORA), note that it does not address non-ICT risks that may arise from the use of third-party providers by financial institutions and the increasing interconnectedness between technology companies and financial institutions. They ESAs make specific recommendations to address this, and also highlight the need to continue to assess this aspect of risk.
The Australian Prudential Regulation Authority (APRA) has released its policy and supervision priorities for the next 12 to 18 months. Among APRA’s key policy priorities are a continued focus on ensuring financial stability in the face of Covid-19 and improving crisis preparedness, while supervisory priorities include cyber risk preparedness and responsiveness and upgrading contingency and continuity frameworks.
The Hong Kong Monetary Authority (HKMA) has released the following Supervisory Policy Manual (SPM) draft modules for industry consultation: - a new module OR-2 'Operational Resilience'; - updated module OR-1 'Operational Risk Management'; and - updated module TM-G-2 'Business Continuity Planning'. The new module OR-2 sets out the HKMA’s supervisory approach to operational resilience and provide authorised institutions (AIs) with guidance on the general principles which they are expected to consider when developing their operational resilience framework. Comments are required to be submitted by 4 February 2022.
The Monetary Authority of Singapore (MAS) has issued AMLD 01/2022: Circular on Non-Face-to-Face Customer Due Diligence (CDD) Measures. The Circular sets out industry good practices observed by MAS and supervisory guidance on the measures to mitigate risks associated with the use of non-face-to-face technologies for CDD.
The Hong Kong SFC has issued a circular to remind licensed corporations to review their business continuity plans (BCPs) with reference to its circular of 28 October 2021
11 March 2022
PRA: PS2/22 on operational resilience and OCIR
FCA: Operational resilience insights for insurance firms
14 APRIL 2022
BoE: Consultations on FMI outsourcing and third party risk management
28 APRIL 2022
PRA speech: Next steps for operational resilience
11 MAY 2022
EU: Provisional agreement reached on DORA
13 MAY 2022
EU: Political agreement reached on NIS 2 Directive
25 MAY 2022
31 MAY 2022
HKMA: New operational resilience module and revised BCP module
6 JUNE 2022
MAS: Revised guidelines on BCM
8 JUNE 2022
HMT: Policy Statement on critical third parties
15 JUNE 2022
HKIMR: Report on Covid-19 and the operational resilience of Hong Kong's finanical services industry
14 july 2022
BoE: Deadline for responses to consultations on FMI outsourcing and third party risk management
The Prudential Regulation Authority (PRA) has published Policy Statement 2/22 (PS2/22) on operational resilience and operational continuity in resolution (OCIR). In PS2/22, the PRA sets out its final policy following feedback to its November 2021 consultation. The PRA has also published: - PRA Rulebook: CRR Firms, SII Firms: Operational Resilience Instrument 2022 (PRA2022/1); - a revised version of the PRA supervisory statement, Operational resilience: Impact tolerances for important business services (SS1/21); and - PRA Rulebook: CRR Firms: Operational Continuity Instrument 2022 (PRA2022/2). The PRA's new rules and guidance on operational resilience will come into force on 31 March 2022 and its rules on OCIR will come into force on 1 January 2023.
The FCA published observations – examples of good practice and areas for improvement – which it gleaned from sampling how 47 firms responded to its final operational resilience rules and guidance. The FCA directs firms to use its observations to review their approaches to operational resilience against the FCA's observations and consider what actions they still need to take.
The Bank of England (BoE) published three Consultation Papers (CPs) on its proposals around outsourcing and third party risk management in financial market infrastructures (FMI). The proposals are set out in three draft supervisory statements (SS) for central counterparties (CCPs), central securities depositories (CSDs), and recognised payment system operators (RPSOs) and specified service providers (SSPs). The BoE's purpose is to: - facilitate greater resilience and adoption of the cloud and other new technologies; - set out the BoE’s requirements and expectations in relation to outsourcing and third party risk management in FMIs; and - complement the BoE’s SSs on FMI operational resilience. In particular, the BoE is proposing to develop an outsourcing and third party risk management part to add to the Code of Practice that will apply to relevant RPSOs and SSPs. Feedback is requested by 14 July 2022.
The Prudential Regulation Authority (PRA) published a speech by David Bailey, Executive Director, UK Deposit Takers Supervision, on operational resilience and next steps on the PRA’s supervisory roadmap. Mr Bailey spoke about the PRA expectations for firms and the links to other key policy areas such as outsourcing and critical third parties (CTPs). He also provided an overview of the regulator's initial assessments of firms' progress so far, and outlined the PRA's planned next steps, including further supervisory engagement with firms.
The European Parliament (EP) and Council of the EU have reached provisional agreement on the Digital Operational Resilience Act (DORA). DORA seeks to ensure that the financial sector in Europe is able to maintain resilient operations through a severe operational disruption. It sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.
The European Commission (EC) welcomed the political agreement reached between the European Parliament (EP) and EU Member States on the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), proposed by the EC in December 2020. The NIS 2 Directive seeks to strengthen cybersecurity requirements imposed on companies, addresses the security of supply chains and supplier relationships and introduces accountability of top management for non-compliance with the cybersecurity obligations.
The Prudential Regulation Authority's (PRA's) Executive Director for Supervisory Risk Specialists, Duncan Mackinnon, addressed the City & Financial 9th Annual Operational Resilience for Financial Institutions Summit, setting out where the PRA expects firms to focus as they work towards building operational resilience by March 2025.
PRA speech: An overview of the supervisory regulatory position on operational resilience
The Hong Kong Monetary Authority (HKMA) finalised its new Supervisory Policy Manual (SPM) module OR-2 Operational Resilience and revised SPM module TM-G-2 Business Continuity Planning. The modules implement the Basel Committee on Banking Supervision’s (BCBS's) Principles for Operational Resilience (POR) issued in March 2021. HKMA expects every authorised institution to have: - developed its operational resilience framework and determined the timeline by which it will become operationally resilient within one year after module OR-2 module is issued (ie, by 31 May 2023); and - become operationally resilient as soon as their circumstances allow and no later than three years after the initial one-year planning period (ie, by 31 May 2026).
MAS has published revised Guidelines on Business Continuity Management (BCM) for financial institutions (FIs), to help FIs strengthen their resilience against service disruptions arising from IT outages, pandemic outbreaks, cyber-attacks and physical threats. The revisions take into account learnings from the handling of the COVID-19 pandemic and increased digitalisation in the financial sector.
HM Treasury (HMT) published a policy statement (PS) on mitigating risks to the finance sector from increasing reliance by firms on critical third parties (CTPs) for key functions and services. The PS, developed with the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), sets out proposals to enable HMT to designate as ‘critical’ certain third parties which provide services to firms. It also proposes to empower the regulators to: - make rules to set minimum resilience standards in respect of certain 'material' services that CTPs provide; - require targeted resilience testing and gather information to assess compliance with standards; - direct CTPs to take (or to refrain from taking) specific actions; and - take enforcement action including powers, as a last resort, to prohibit a CTP from providing services, or continuing to provide services. HM Government will legislate when parliamentary time allows; the regulators will publish a joint Discussion Paper shortly after legislation is introduced.
The Hong Kong Institute for Monetary and Financial Research (HKIMR), the research arm of the Hong Kong Academy of Finance (AoF), released a new Applied Research report, titled “COVID-19 and the Operational Resilience of Hong Kong’s Financial Services Industry: Preliminary considerations from the 2020-2021 experience”.
17 JUNE 2022
HKMA, BIS Innovation Hub & Bank of Israel: Project Sela examining cybersecurity in the context of rCBDC
MAS, BdF & ACPR: Joint crisis management exercise - cybersecurity
1 JULY 2022
ESAs: JC SC DOR mandate on digital operational resilience comes into effect
5 JULY 2022
FSI: Report on Big tech interdependencies
11 JULY 2022
IOSCO: Report on the operational resilience of trading venues and market intermediaries during Covid-19
21 JULY 2022
FCA, PRA & BoE: Discussion paper on CTPs providing services to the UK financial sector
25 July 2022
HKMA: Revised SPM module OR-1 on operational risk management
28 JULY 2022
APRA: Consultation on new prudential standard to strengthen operational resilience
28 July 2022
HKMA: Sound practices for payment operations
5 AUGUST 2022
MAS Report: Operational Risk Management - Management of Third Party Arrangements
8 AUGUST 2022
ECB: Purple Teaming Best Practices
25 AUGUST 2022
FSI: Brief on safeguarding operational resilience
27 AUGUST 2022
SEHK, SEOCH, HKCC, HKSCC and OTC Clear: Rehearsals for contingency measures for data centre outage
31 AUGUST 2022
HKMA: Circular - Guidance on Cloud Computing
23 SEPTEMBER 2022
HKMA: Circular - Supervisory expectations on payment card security
27 SEPTEMBER 2022
APRA: Optus data breach - update for APRA-regulated entities
5 OCTOBER 2022
AUSTRALIA
APRA: Thematic review of outsourcing arrangements in the superannuation industry
6 OCTOBER 2022
SFC: Deputy CEO highlights focus on operational resilience
13 OCTOBER 2022
IAIS: Consultation on operational resilience in insurance
17 OCTOBER 2022
EBA: Peer review of NCA supervision of ICT risk
FSB: Consultation on cyber incident reporting
21 OCTOBER 2022
APRA: Deadline for responses to consultation on new prudential standard to strengthen operational resilience
27 OCTOBER 2022
EBA: 2023 Supervisory priorities for prudential supervisors - operational and financial resilience
28 OCTOBER 2022
MAS: CSAP recommendations on tackling new cyber risks
18 NOVEMBER 2022
BoE: SIMEX 22
24 NOVember 2022
EIOPA: Discussion paper on insurance stress testing - cyber focus
25 NOVEMBER 2022
HKMA: Additional guidance on anti-DDoS protection
28 NOVEMBER 2022
Council of the EU: Adoption of DORA
29 NOVEMBER 2022
CPMI/IOSCO: FMI cyber resilience
23 DECEMBER 2022
FCA, PRA & BoE: Deadline for responses to discussion paper on CTPs providing services to the UK financial sector
FSB: Deadline for response to consultation on cyber incident reporting
The Monetary Authority of Singapore (MAS), the Banque de France (BdF) and the Autorité de contrôle prudentiel et de résolution (ACPR) have carried out a joint crisis management exercise focused on cybersecurity threats. The exercise follows from the Memorandum of Understanding (MoU) on Cooperation in Cybersecurity signed between MAS, BdF and ACPR in November 2019. The joint exercise tested the effectiveness of cyber crisis coordination and response by the three financial authorities when managing scenarios such as ransomware, zero-day vulnerabilities and IT supply chain attacks.
The HKMA has announced a joint research project on retail Central Bank Digital Currency (rCBDC) with the Bank of Israel and the Bank for International Settlements Innovation Hub (BISIH), named Project Sela. Project Sela will take a deep dive into cybersecurity issues in the context of rCBDC, studying the data security implications of a two-tier rCBDC architecture where the intermediaries have no financial exposure. The project is expected to be completed by the end of 2022.
The European Supervisory Authorities (ESAs) established a Joint Committee Sub-Committee on Digital Operational Resilience (JC SC DOR) to support the ESAs in delivering their mandates under the Digital Operational Resilience Act (DORA). The mandate sets out specific tasks for the JC SC DOR.
The Financial Stability Institute of the Bank for International Settlements (BIS) published the report: 'Big tech interdependencies - a policy blind spot' which assesses the interdependencies inherent in big tech business models, outlines the regulatory implications of how big techs provide financial services, and explains the tools financial authorities have at their disposal to address related risks.
The International Organization of Securities Commissions (IOSCO) published its final report on the operational resilience of trading venues and market intermediaries during Covid-19. The report: summarises some of the existing operational resilience work by IOSCO and other international organisations; examines the key operational risks and challenges that faced during Covid-19; and identifies lessons learned.
The UK financial services regulators published Discussion Paper 22/3 - Operational resilience: Critical third parties (CTPs) to the UK financial sector. The DP sets how the regulators could use the powers proposed under the Financial Services and Markets Bill (FSM Bill), covering: the identification of CTPs for designation; minimum resilience standards, which would apply to the services provided to the finanical sector; and a framework for testing the resilience of material services that CTPs provide. Comments are open until 23 December 2022. A consultation paper (CP) will follow in 2023, subject to the progress of the FSM Bill through Parliament.
The HKMA has published the revised version of its Supervisory Policy Manual (SPM) module OR-1 (Operational Risk Management). The revised module implements the Revised Principles for Sound Management of Operational Risk issued by the Basel Committee on Banking Supervision (BCBS) in March 2021 and reflects the requirements related to operational risk management contained within the BCBS’s Principles for Operational Resilience. Authorised institutions should implement module OR-1 no later than 25 January 2024, except for the areas related to operational resilience set out in paragraph 1.5.2 which should follow the implementation timelines for the new module OR-2 (finalised in May 2022).
The Australian Prudential Regulation Authority (APRA) issued a consultation on a new prudential standard designed to strengthen the management of operational risk in the banking, insurance and superannuation industries. The standard will replace the five existing standards relating to business continuity and outsourcing. Responses are requested by 21 October 2022. APRA intends to finalise the standard in early 2023 and release draft guidance for consultation before it comes into effect from 1 January 2024.
The Hong Kong Monetary Authoriy (HKMA) issued a circular to authorised institutions (AIs) to share sound practices for payment operations. The HKMA noted that a few payment-related operational incidents were reported by AIs in the past year; most of these incidents were caused by IT system malfunctions, rendering the AIs unable to complete payment transactions within the cut-off timelines specified by the Hong Kong Interbank Clearing Limited. The HKMA circular reminds AIs of the importance of maintaining high operational resilience in their payment operations and indicates that the HKMA will step up surveillance of payment operations.
The Monetary Authority of Singapore (MAS) published the findings from its thematic inspections of the operational risk management standards and practices of selected banks, focusing on third party risk management. MAS sets out its supervisory expectations, good practices, improvement areas and case examples observed from the inspections. MAS comments that banks have room to raise risk management standards as regards third party risk. While it observed that while banks were familiar with outsourcing risk, MAS found that some banks had only started to consider the risks posed by other service providers. While the findings relate to its inspections of banks, MAS explains that the good practices highlighted should inform all financial institutions.
The European Central Bank (ECB) published its Purple Teaming Best Practices. These practices outline how purple teaming can be set up and managed within the European framework for threat intelligence-based ethical red teaming (TIBER-EU) process.
The Financial Stability Institute (FSI) of the Bank for International Settlements (BIS) published a brief on safeguarding operational resilience which looks at operational resilience through a macroprudential lens. The paper considers the following: the progress in developing frameworks for operational resilience; the main guidelines that have been issued; the macroprudential concerns in relation to operational resilience; and solutions on how to address those concerns.
The Stock Exchange of Hong Kong Limited (SEHK), the SEHK Options Clearing House Limited (SEOCH), HKFE Clearing Corporation Limited (HKCC), Hong Kong Securities Clearing Company Limited (HKSCC) and OTC Clearing Hong Kong Limited (OTC Clear) conducted data centre failover rehearsals on 27 August 2022. The rehearsal aims to enable participants/members and related parties to familiarise themselves with contingency procedures and related operational matters upon a simulated service outage.
The Hong Kong Monetary Authority (HKMA) issued a circular to provide guidance to authorised institutions (AIs) on its supervisory expectations relating to the adoption of cloud computing. This is in light of the growing trend of AIs adopting cloud computing via third-party cloud service providers (CSPs). The HKMA’s supervisory expectations are developed with reference to the results of a round of thematic examinations undertaken from 2021 to 2022. The principles serve to complement (and should be read in conjunction with) the relevant existing HKMA guidance, including supervisory policy manual module SA-2 (Outsourcing), module OR-2 (Operational Resilience) and module TM-G-1 (General Principles for Technology Risk Management).
The Hong Kong Monetary Authority (HKMA) issued a circular to inform authorised institutions (AIs) of its supervisory. expectations on payment card security. In light of the growing number of data breaches involving payment cards, the HKMA has provided additional guidance to the system operators and settlement institutions of retail payment systems designated under the Payment Systems and Stored Value Facilities Ordinance (card scheme operators – CSOs). Under the guidance, relevant CSOs are required to implement a robust data security framework covering their participants and third-party service agents, to minimise the risk of data breaches and reduce the resulting damage when such breaches occur.
In the wake of a data breach reported by telecommunications company Optus which resulted in the exposure of customer information, the Australian Prudential Regulation Authority (APRA) has reminded firms of their notification obligations under Prudential Standard CPS 234 Information Security. Under the Standard, entities must notify APRA of information security incidents and control weaknesses. APRA further urged entities to ‘harden’ controls and raise customer awareness of fraud.
The Australian Prudential Regulation Authority (APRA) published its findings following a review (conducted jointly with Grant Thornton) of outsourcing arrangements in the retail superannuation industry. The review was undertaken in light of APRA’s continued focus on improving the operational resilience of trustees and thereby outcomes for superannuation members coupled with concerns around management of related party arrangements that emerged from the financial services Royal Commission. APRA's review found that trustees' efforts since the Royal Commission have resulted in stronger board oversight and monitoring of outsourcing arrangements and service providers. However, APRA found there is more to be done and identified key areas for improvement.
Securities and Futures Commission (SFC) Deputy CEO Julia Leung delivered a keynote speech at the ASIFMA Tech & Ops Conference 2022 in which she highlighted, among other things, that the SFC places great emphasis on the measures firms are adopting to ensure operational resilience – including reliability of their information technology systems, adequacy of their capacity and security, as well as their contingency and recovery plans. Cybersecurity and third-party vendor risks are important areas requiring attention.
The European Banking Authority (EBA) published a report, outlining the conclusion of the peer review of how national competent authorities (NCAs) supervise institutions’ ICT risk management and of how they have implemented the EBA Guidelines on ICT risk assessment. The review did not identified any significant concerns regarding the supervisory practices but made some general recommendations for further improvements, including for amendments to the Guidelines once the EU's Digital Operational Resilience Act (DORA) has been finalised.
The International Association of Insurance Supervisors (IAIS) published a consultation on issues impacting operational resilience in the insurance sector. The paper addresses three specific operational resilience sub-topics that are considered significant and to be increasing operational risk, these are: cyber resilience; third-party outsourcing; and business continuity management. Feedback is requested by 6 January 2023.
The Financial Stability Board (FSB) published a consultation on achieving greater convergence in cyber incident reporting. The proposals include: recommendations to address the challenges to achieving greater convergence in cyber incident reporting; further work on establishing common terminologies related to cyber incidents; and a proposal to develop of a common format for incident reporting exchange (FIRE). Feedback is requested by 31 December 2022.
Deadline for responses to the Australian Prudential Regulation Authority (APRA) consultation on a new prudential standard designed to strengthen the management of operational risk in the banking, insurance and superannuation industries. The standard will replace the five existing standards relating to business continuity and outsourcing. APRA intends to finalise the standard in early 2023 and release draft guidance for consultation before it comes into effect from 1 January 2024.
The European Banking Authority (EBA) has published the European Supervisory Examination Programme (ESEP) for 2023, which identifies key topics for supervisory attention across the European Union (EU). Key topices include operational resilience, in particular ICT security risk, ICT availability and continuity risk, and risk data aggregation.
The Monetary Authority of Singapore (MAS) has published insights from its Cyber Security Advisory Panel (CSAP) on how Singapore’s financial sector can address technology and cyber risks amid heightened geopolitical tensions, rapid digitalisation of financial services, and an increasingly hostile cyber threat landscape.
The Bank of England (BoE), in partnership with the Financial Conduct Authority (FCA), HM Treasury (HMT) and 50 regulated firms, has undertaken a two-day UK market wide simulation exercise - SIMEX 22. The exercise set out to test the UK financial sector’s resilience to major operational disruption. The exercise was developed by the Cross Market Operational Resilience Group (CMORG) which will consider the findings and ensure that collective capabilities are developed to mitigate any risks that are identified.
The European Insurance and Occupational Pensions Authority (EIOPA) published a discussion paper on methodological principles of insurance stress testing with a focus on cyber risk. EIOPA aims at laying the groundwork for an assessment of insurers’ resilience under severe but plausible cyber incident scenarios. The paper elaborates on two main aspects: - cyber resilience, understood as the capability of an insurance undertaking to sustain the financial impact of an adverse cyber event; and - cyber underwriting risk, understood as the capability of an insurance undertaking to sustain – from a capital and solvency perspective – the financial impact of an extreme but plausible adverse cyber scenario affecting underwritten business. Feedback is requested by 28 February 2023.
The Hong Kong Monetary Authority (HKMA) issued a circular to authorised institutions (AIs) to provide additional guidance on protection against distributed denial-of-service (DDoS) attacks. The guidance has been developed with reference to the findings from a round of thematic reviews assessing the effectiveness of the anti-DDoS protective measures maintained by AIs. The guidance covers four key areas: - regular risk assessment and vulnerability management, including protective measures provided by third parties; - proper design of the architecture of anti-DDoS controls in respect of both customer-facing channels and components that support the AI's operations; - effective governance over service providers to evaluate their cyber defence capability and robust contingency arrangements for potential disruption to their services; and - proper incident response procedures and regular rehearsal exercises.
The Council of the EU has adopted the Digital Operational Resilience Act (DORA), marking the final step in the legislative process. DORA creates a regulatory framework on digital operational resilience whereby financial entities, including banks, insurers and investment firms need to ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. The next step is national transposition whereby DORA will be passed into law by each EU Member State. At the same time, the European Supervisory Authorities (ESAs) will develop technical standards.
The Committee on Payments and Market Infrastructures (CPMI) and the the International Organization of Securities Commissions (IOSCO) published a report on financial market infrastructures' (FMI) cyber resilience. The report finds reasonably high adoption of the Guidance on cyber resilience for financial market infrastructures by FMIs. However, it identifies a serious issue of concern related to a small number of FMIs not fully meeting expectations regarding the development of cyber response and recovery plans to meet the two-hour recovery time objective (2hRTO). Four additional issues of concern relate to shortcomings in established response and recovery plans to meet the 2hRTO under extreme cyber-attack scenarios; lack of cyber resilience testing after major system changes; lack of comprehensive scenario-based testing; and inadequate involvement of relevant stakeholders in testing.
On 17 October 2022, the Financial Stability Board (FSB) published a consultation on achieving greater convergence in cyber incident reporting. The proposals include: recommendations to address the challenges to achieving greater convergence in cyber incident reporting; further work on establishing common terminologies related to cyber incidents; and a proposal to develop of a common format for incident reporting exchange (FIRE). Feedback is requested by 31 December 2022.
1 January 2021
EIOPA: Date of application of Final Guidelines on Outsourcing to Cloud Service Providers
8 January 2021
FSB: Response deadline to the Discussion Paper on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships
The FSB has published a Discussion Paper (DP) for public consultation, on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships. The DP draws on findings from a survey conducted among the FSB members to identify a number of issues and challenges. For instance, financial institutions have to ensure that their contractual agreements with third parties grant to them, as well as to supervisory and resolution authorities, appropriate rights to access, audit and obtain information from third parties. These rights can be challenging to negotiate and exercise, particularly in a multi-jurisdictional context. The management of sub-contractors and supply chains is another challenge that was highlighted in the context of financial institutions’ response to Covid-19. Feedback is requested by 8 January 2021, and will be used to inform discussion on current regulatory and supervisory approaches.
16 Apr 2021
EU Commission: Deadline for feedback on Commission’s adopted proposal for a Directive on digital operational resilience for the financial sector (DORA)
On 2 October, the EU Commission adopted a package of proposals which included a new law on digital operational resilience for financial services.
1 July 2021
EIOPA: Application date of Guidelines on Information and Communication Technology (ICT) Security and Governance
The objective of the guidelines is to promote the increase of the operational resilience of the digital operations of insurance and reinsurance undertakings against the risks they face. The guidelines: • provide clarification and transparency to market participants on the minimum expected information and cyber security capabilities, i.e. security baseline; • avoid potential regulatory arbitrage; • foster supervisory convergence regarding the expectations and processes applicable in relation to ICT security and governance as a key to proper ICT and security risk management. National supervisory authorities are expected to apply these guidelines from 1 July 2021.
31 December 2021
EBA: Outsourcing Guidelines – Deadline for Completing Review of Outsourcing Arrangements Related to Critical or Important Functions
The EBA Guidelines apply to all outsourcing arrangements entered into, reviewed or amended on or after 30 September 2019. In-scope firms are required to review and amend their existing outsourcing arrangements to ensure compliance. Where a firm has not completed a review of an outsourcing arrangement which relates to critical or important functions by 31 December 2021; it should notify the relevant competent authority.
FILTER BY:
CYBER
NOTIFICATIONS
OUTSOURCING
SPEECH
WEBINAR
SHOW ALL
HKMA originally introduced its Cybersecurity Fortification Initiative (CFI) in 2016; the updated CFI 2.0 came into effect on 1 January 2021 and applies to all authorised institutions (AIs). CFI 2.0 consists of 3 pillars: (1) Cyber Resilience Assessment Framework (CRAF) – a self-assessment framework involving inherent risk assessment, maturity assessment, and intelligence-led cyber attack simulation testing (CAST) – AIs are divided into groups for a phased implementation up to the end of December 2023; (2) Professional Development Programme (PDP); and (3) Cyber Intelligence Sharing Platform (CISP).
HKMA: CFI 2.0 Comes Into Effect
18 January 2021
MAS: Revised TRM Guidelines
The Monetary Authority of Singapore (MAS) issued revised Technology Risk Management (TRM) Guidelines which set out technology risk management principles and best practices for the financial sector, to guide financial institutions (FIs) in the following: • establishing sound and robust technology risk governance and oversight; and • maintaining cyber resilience.
21 January 2021
HKMA: AML/CFT RegTech case studies and highlights
The Hong Kong Monetary Authority (HKMA) has published a report entitled “AML/CFT Regtech: Case Studies and Insights” highlighting the opportunities that Regtech offers to transform the effectiveness and efficiency of Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) efforts, and sharing end-to-end approaches which worked in real-life examples. The report includes a chapter on third-party vendor relationships and includes some examples from banks about evaluating third-party RegTech providers and partners. The report follows on from the HKMA’s 2019 AML/CFT RegTech Forum in November 2019.
The Monetary Authority of Singapore (MAS) published a consultation on a Notice to Banks on Management of Outsourced Relevant Services. MAS also intends to mirror requirements of this notice for merchant banks in a Notice to Merchant Banks on Management of Outsourced Relevant Services. Feedback to the consultation was requested by 29 January 2021.
29 January 2021
MAS: Deadline for responses to Consultations on Notices to Banks and Merchant Banks on Management of Outsourced Relevant Services
2 FEBRUARY 2021
hong kong
HKMA Speech: 2020 Year-end review and priorities for 2021
The Hong Kong Monetary Authority (HKMA) has published the materials presented by Arthur Yuen, Deputy Chief Executive. Mr Yuen highlights operational resilience in the context of the response to Covid-19.
20 January 2021
FSB: 2021 Work Programme Incorporates Cyber and Operational Resilience
22 January 2021
BIS Innovation Hub: Annual Work Programme Incorporates Cyber Security Theme
28 January 2021
ECB: Outcome of 2020 SREP and 2021 Supervisory Priorities
5 FEBRUARY 2021
FCA: Multi-firm Review of Implementing Technology Change
FCA: ‘Dear CEO’ Letter to Retail Banks
9 FEBRUARY 2021
ESAs: Letter to Regarding DORA
31 JULY 2021
ESMA: Application of Guidelines on Outsourcing to CSPs
OCTOBER 2021
FSB: Report on Cyber Incident Reporting
The Financial Stability Board (FSB) has published its 2021 work programme. Among the important work programme items, which the FSB highlights is a focus on cyber and operational resilience. The FSB will take stock of current practices across sectors and jurisdictions regarding the reporting of cyber incidents for regulatory purposes, and explore if and where greater convergence of reporting practices could be achievable. It will also to explore the need for revisions to the FSB Cyber Lexicon. The FSB will report on this initiative in October 2021. Further, with regard to outsourcing, the FSB Standing Committee on Supervisory and Regulatory Cooperation (SRC) plans to hold a virtual outreach with external stakeholders on its November 2020 discussion paper on Regulatory and supervisory issues relating to outsourcing and third-party relationship in early 2021.
The Bank for International Settlements (BIS) Innovation Hub has set out its annual work programme. Among the key themes for the work programme is cyber security. Most recently, the Secure Coding Competition was hosted by the Swiss Centre and the BIS Cyber Resilience Coordination Centre in Q4 2020 as an informal and friendly coding training for central banks. It attracted around 60 developers from more than 20 central banks who competed to develop their skills across multiple programming languages.
The European Central Bank (ECB) has published the outcome of its 2020 Supervisory Review and Evaluation Process (SREP) and announced its 2021 supervisory priorities. Based on the SREP analysis and taking into account Covid-19, the ECB has decided on the following supervisory priorities: credit risk; capital strength; business model sustainability; and governance. With regard to governance, the ECB observes that advancing digitalisation can support the transformation of banks’ business models with a view to increasing profitability in the longer term, but it also exposes vulnerabilities related to existing IT deficiencies and susceptibility to cybercrime and operational disruptions. While firms showed strong operational resilience since the onset of Covid-19, the changing digital environment poses challenges. Cyber threats have been on the rise recently, and in many banks, critical processes depend on end-of-life systems requiring large-scale IT expenditure to mitigate the associated risks.
This FCA multi-firm review looks at how firms implement technology change, the challenges caused when changes fail, and steps firms can take to protect consumers from harm and disruption in the market. The review revealed that failed technology changes are one of the main causes for operational disruption within firms, accounting for a quarter of all high severity incidents that cause harm to consumers and the market. Firms with strong governance and risk management strategies are more successful at technology change. Robust testing is an important part of the change process, but while testing automation has benefits it also presents challenges. The FCA also found that pairing subject matter expertise with a clear understanding of a firm’s strategy is vital.
The FCA has written to the CEOs of firms in its retail banking portfolio setting out its proposed supervisory strategy for the coming two years. Among the priority areas for retail banking, the FCA highlights operational resilience. The regulator sets out: • its view of the risks in the context of retail banking operations, which recognises the impact of Covid-19; • its expectations of retail banks, with particular note made of Principle 11 of the Principles for Businesses which relates to notifications, use of third party providers, and board and senior manager responsibilities; and • what the FCA intends to do over the coming supervisory cycle. CEOs are directed to discuss the letter with fellow directors and their Boards.
The European Supervisory Authorities (ESAs) have published a letter sent to the European Parliament, European Commission and Council of the EU on the proposed Digital Operational Resilience Act (DORA), first published on 24 September 2020. The ESAs agree with the main principles of DORA, and provide recommendations on how to take forward certain aspects of the governance and operational processes of the oversight framework for Critical Third Party Providers (CTPPs) and the application of the proportionality principle in DORA. The ESAs also highlight concerns about the level of resources which they will need to both deliver the one-off policy work and undertake their ongoing responsibilities as envisaged by DORA.
The European Securities and Markets Authority has published the final report on Guidelines on Outsourcing to Cloud Service Providers (CSPs). The guidelines take into account related guidelines by the European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority (EIOPA), and the proposal for a Digital Operational Resilience regulation (DORA). The guidelines cover: • risk assessment and due diligence; • the governance, organisational and control frameworks; • exit arrangements; • the contractual elements to be included in agreements; and • notification requirements. The guidelines apply from 31 July 2021 to all arrangements entered into, renewed or amended on or after this date. Firms should review and amend accordingly existing cloud outsourcing arrangements with a view to ensuring that they take into account these guidelines by 31 December 2022.
The Financial Stability Board (FSB) has published its 2021 work programme. Among the important work programme items, which the FSB highlights is a focus on cyber and operational resilience. The FSB will take stock of current practices across sectors and jurisdictions regarding the reporting of cyber incidents for regulatory purposes, and explore if and where greater convergence of reporting practices could be achievable. It will also to explore the need for revisions to the FSB Cyber Lexicon. The FSB will report on this initiative in October 2021.
29 March 2021
BoE, FCA and PRA: Final policy on operational resilience
PRA: Final policy on outsourcing and third party risk management
1 Apr 2021
BCBS: Final Principles for Operational Resilience and revised Principles for the Sound Management of Operational Risk
The UK regulators – the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) – published their final policy on operational resilience. There will be a one-year implementation period to 31 March 2022. This will be followed by a three-year transitional period ending on 31 March 2025. As part of the operational resilience package, the PRA has also published final rules on outsourcing and third party risk management.
As part of the wider UK authorities’ operational resilience package, the Prudential Regulation Authority (PRA) has published final rules on outsourcing and third party risk management Outsourcing arrangements entered into on or after 31 March 2021 should meet the expectations by 31 March 2022. Firms should seek to review and update legacy outsourcing agreements entered into before 31 March 2021 at the first appropriate contractual renewal or revision point as soon as possible on or after Thursday 31 March 2022.
The Basel Committee on Banking Supervision (BCBBS) has issued Principles for operational resilience, which aim to make banks better able to withstand, adapt to and recover from severe adverse events. In addition to the principles for operational resilience, the BCBS also issuedrevisions to its Principles for the sound management of operational risk (PSMOR) reflecting the natural relationship between operational resilience and operational risk. This follows a consultation on both documents in August 2020.
1 FEBRUARY 2021
APRA: Policy Priorities 2021 – new and revised operational resilience standards
1 February 2021
ASEAN
ASEAN: Joint Statement of 7th AFMGM - CRISP
2 March 2021
MAS & ABS: Risk Management and Operational Resilience in a Remote Working Environment guidance
3 MARCH 2021
Council of the EU: Opinion of the EESC on DORA
19 MARCH 2021
ECB: Best practices applied by FMIs in their BCPs during Covid-19
31 March 2021
MAS: FAQs on the Payment Services Act
9 Apr 2021
ireland
Central Bank of Ireland: CP140 - Cross Industry Guidance on Operational Resilience
21 Apr 2021
HKMA: Circular regarding BCBS's principles on operational resilience
29 APRIL 2021
FCA: Insights from the 2020 Cyber Coordination Groups
5 MAY 2021
PRA; Speech by Lyndon Nelson on Operational Resilience - outcomes in practice
6 May 2021
FCA: Update on the application of the EBA Outsourcing Guidelines
Global
IOSCO: Report on the implementation of recommendations and standards on BCPs for TVs and MIs
10 May 2021
EPDS: Opinion on DORA
9 July 2021
Ireland
Central Bank of Ireland: Deadline for responses to CP140 - Cross Industry Guidance on Operational Resilience
IOSCO: Report on on Operational, Cyber Security and BCP Risks before 2022
On 30 March 2021, the Monetary Authority of Singapore (MAS) published the Joint Statement of the 7th ASEAN Finance Ministers and Central Bank Governors’ Meeting (AFMGM). The statement notes: "We are pleased with the full operationalisation of the ASEAN Cybersecurity Resilience and Information Sharing Platform (CRISP) with the entry into force for the participating AMS that have signed the Memorandum of Understanding (MOU) for Sharing of Information during Activities of Digital and Technology Network (DTN) on 1 February 2021, which allows information sharing to combat cybersecurity threats and to develop collaborative mitigation actions for ASEAN Central Banks."
The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) jointly issued a paper entitled, “Risk Management and Operational Resilience in a Remote Working Environment”. The paper highlights that, in view of the protracted remote working arrangements and the likely adoption of hybrid working arrangements in future, it is important that financial institutions (FIs) remain vigilant towards remote working risks and take pre-emptive steps to mitigate them. The paper seeks to – - raise awareness of key remote working risks in the financial sector; - share good practices adopted by FIs to mitigate key remote working risks; and - encourage all FIs to adopt good practices on managing remote working risks.
The European Economic and Social Committee (EESC) has published an opinion on the proposed Digital Operational Resilience Act (DORA). The EESC makes a number of recommendations targeted at enhancing the effectiveness of the Act, including: - ensuring consistency in definition and scope between DORA and the requirements set out in existing guidelines issued by the European Supervisory Authorities (ESAs); - consolidating the requirements on outsourcing into a single rulebook, in order to enforce legal certainty for all market participants and reliably comply with supervisory expectations; and - including proportionality in the penalty regime to avoid disincentives for ICT providers to serve EU financial entities and moving away from the current reference to worldwide turnover.
The European Central Bank (ECB) has published a report setting out its observations of best practices employed by financial market infrastructures (FMIs) in business continuity planning during the Covid-19 pandemic. The ECB intends that the report will provide a reference guide for supervisors and operators; it does not represent prescriptive oversight expectations.
The Monetary Authority of Singapore (MAS) has published responses to frequently asked questions (FAQs) on the Payment Services Act 2019. The FAQs are arranged into eight parts, with Part Seven dealing specifically with regulatory risk – technology and cyber risk.
The Central Bank of Ireland published its proposed “Cross Industry Guidance on Operational Resilience” for consultation. The Bank's guidance is developed around three pillars of operational resilience, which are: identify and prepare; respond and adapt; and recover and learn. The Bank set 9 July 2021 as the deadline for feedback.
The Hong Kong Montary Authority (HKMA) issued a circular highlighting that the Basel Committee on Banking Supervision (BCBS) has issued final Principles for Operational Resilience (POR) and the revised Principles for the Sound Management of Operation Risk (PSMOR). The HKMA circular explains the aims of both the POR and the revised PSMOR. Although many of the requirements in the BCBS' publications are already covered in its existing guidance (including the Supervisory Policy Manual (SPM)), the HKMA is considering the need to provide additional guidance to implement the POR in Hong Kong. The Revised PSMOR includes further guidance to improve the overall clarity of existing principles, updates where needed in the areas of change management and ICT management, and changes to ensure consistency with the new operational risk framework in the 2017 Basel III final package. The HKMA plans to provide relevant guidance through revising the SPM module OR-1 (Operational Risk Management).
The Financial Conduct Authority (FCA) has published a report of the discussions held at its quarterly Cyber Coordination Group meetings in 2020. In 2020, the FCA convened 157 firms in seven Cyber Coordination Groups, with each Group representing a specific sub-sector. The 2020 sub-sectors were: Insurance, Investment Management, Fund Management, Retail Banking and Payments Firms, Retail Investments and Lending, Brokers/Principal Trading Firms and Trading Venues/Benchmark Administration Firms.The report covers cyber threats; the emergence of Zero Trust Security models and artificial intelligence (AI); the impact of remote working occasioned by Covid-19 on cyber-security teams and systems; and mitigating supply chain risks, including fourth-party supply chain and cloud service provider (CSP) risk.
Lyndon Nelson, Deputy CEO & Executive Director of Regulatory Operations and Supervisory Risk Specialists at the Prudential Regulation Authority (PRA), spoke about the UK regulators' shared approach to operational resilience, covering: - how the difference in language used by the Financial Conduct Authority (FCA) and the Bank of England were necessary to accommodate the respective authorities' underlying legislative bases; - the relationship with the Basel Committee Principles for Operational Resilience; - impact tolerances; - outsourcing, and - how the industry and regulatory approaches to operational resilience may be expected to mature over time.
The Financial Conduct Authority (FCA) updated its webpage on Outsourcing and Operational Resilience with new text regarding the application of the EBA Outsourcing Guidelines in the UK, and the relationship between the timelines set out in the EBA Guidelines and those set out by the Prudential Regulation Authority (PRA) in respect of outsourcing and third party risk management.
The International Organization of Securities Commissions (IOSCO) published a Thematic Review on the extent to which participating IOSCO jurisdictions have implemented regulatory measures consistent with the two Recommendations and the two Standards set out in the 2015 IOSCO reports on Business Continuity Plans (BCPs) for Trading Venues (TVs) and Market Intermediaries (MIs). The Review found that regulatory frameworks of some jurisdictions did not ensure that relevant provisions for critical systems extend to outsourced functions. The Review also found that regulations in some participating jurisdictions did not have any obligations for intermediaries to conduct a regular review of BCP arrangements or update BCPs in response to material business changes. The Review recommends that members include in their regulatory frameworks the necessary powers for the regulator to set and enforce requirements for TVs and MIs when they establish, maintain and update BCPs; to ensure the regulatory frameworks require enterprise-wide BCPs and not only disaster recovery or contingency measures for IT systems; and to provide sufficient clarity on governance and accountability for boards or senior management in relation to critical systems.
The European Data Protection Supervisor (EDPS) published an opinion on the Proposal for a Regulation on digital operational resilience for the financial sector (DORA). The EDPS highlighted the importance of ensuring that DORA is aligned with the requirements of the General Data Protection Regulation (GDPR), drawing out a number of aspects including, for example, international transfers of personal data to third party service providers established in third countries (outside the EU) and the principle of storage limitation. With regard to notification of data breaches, the EDPS notes that the wording of Recital 42 of DORA is incompatible with Article 33 of the GDPR, and recommends removing the reference to data protection authorities in Recital 42 of DORA and slightly amending Article 17 of DORA in line with the same.
The Financial Stability Board (FSB) has published its 2021 work programme. Among the important work programme items, which the FSB highlights is a focus on cyber and operational resilience. The FSB will take stock of current practices across sectors and jurisdictions regarding the reporting of cyber incidents for regulatory purpoThe International Organisation of Securities Commissions (IOSCO) has issued its 2021-22 work programme. Among its priorities, IOSCO identifies a need to focus on risks exacerbated by Covid-19, including operational resilience. By 2022, IOSCO will deliver its report on operational, cyber security and business continuity planning risks.ses, and explore if and where greater convergence of reporting practices could be achievable. It will also to explore the need for revisions to the FSB Cyber Lexicon. The FSB will report on this initiative in October 2021.
The Australian Prudential Regulation Authority (APRA) set out its 2021 policy priorities, which include plans to consult on new and revised standards for operational resilience. These are expected to include the introduction of a new prudential standard specifically focused on operational risk management, revisions to the existing Prudential Standards CPS 231 Outsourcing and CPS 232 Business Continuity Management, and guidance for entities. These new and revised standards will form part of a suite of standards covering operational resilience, which also includes Prudential Standard CPS 234 Information Security.
17 May 2021
FCA: Update to outsourcing and operational resilience webpage regarding application of EBA outsourcing guidelines
18 MAY 2021
HKMA: Circular regarding secure tertiary data back-up
25 MAY 2021
PRA: Speech on Cyber Risk
3 JUNE 2021
PRA: Correction to operational resilience policy statement relevant to Solvency II firms
10 JUNE 2021
FSDC: Research report - Cybersecurity Strategy for Hong Kong's Financial Services Industry
EBA: Final guidelines on major incident reporting under PSD2
14 JUNE 2021
FSB: Outsourcing and third-party risk – Overview of responses to the public consultation
28 JUNE 2021
ECCC: Regulation establishing the ECCC and Network in force
Singapore/UK: Cyber security MoU
21 JULY 2021
IOSCO/CPMI: Report on FMI business continuity planning
29 JULY 2021
ECB: Response to independent review of TARGET incidents in 2020
23 AUGUST 2021
MAS and US Treasury: MoU on cybersecurity cooperation
26 AUGUST 2021
ECB: Opinion on DORA
1 SEptember 2021
ESMA: TRV Report 2021 - Cloud outsourcing and financial stability risks
9 SEPTEMBER 2021
IA: Cybersec Infohub open for registration
17 SEptember 2021
BoE: Letter to FMIs in relation to material outsourcing to the public cloud
20 September 2021
BCBS: Call for improved cyber resilience
24 september 2021
APRA: Updated schedule of policy priorities for 2021
16 april 2021
ECCC: First meeting of shadow Governing Board
The 'shadow' Governing Board of the European Cybersecurity Competence Centre (ECCC) has met for the first time. The meeting focused on the preparations and next steps on the establishment of the Cyber Centre. The Board met in an informal capacity, further to political agreement being reached on the Regulation which establishes the ECCC and related Network of National Coordination Centres. The Regulation is expected to enter into force in 2021.
The UK Financial Conduct Authoriy (FCA) updated its webpage with information regarding the application of the European Banking Authority (EBA) Outsourcing Guidelines in the context of the UK authorities' finalised operational resilience policy package. The update explained: 'Firms are not expected to report to [the FCA] on their progress towards meeting the timeline of 31 December 2021 in the EBA Guidelines regarding legacy outsourcing arrangements. Firms should aim to review any outstanding critical or important outsourcing arrangement at the first appropriate contract renewal following the first renewal date of each existing outsourcing arrangement or revision point. Where arrangements of critical or important outsourcing arrangements have not been finalised by 31 March 2022, firms should inform [the FCA]. This timeframe aligns with that of [...] final operational resilience policy (PS21/3) and [...] approach to these guidelines aligns with that of the PRA.'
The Hong Kong Monetary Authority (HKMA) published a circular regarding secure tertiary data backup. The circular makes reference to the Hong Kong Association of Banks (HKAB) Secure Tertiary Data Backup Guideline, which provides guidance to banks on the factors they need to take into account in deciding whether to set up a secure tertiary data backup and what implementation issues they need to overcome in ensuring its effectiveness. The guideline includes 8 high-level principles grouped under governance, design and data restoration. The HKMA expects all AIs to critically assess the need for such backup based on the HKAB's guideline. All retail banks and foreign bank branches with significant operations in Hong Kong are required to submit a report to the HKMA by 30 November 2021, setting out the outcome of their assessment. The HKMA will inform AIs individually if they are required to submit such report and the information to be included in the report.
The PRA has published a speech on cyber risk, delivered by Lyndon Nelson, Deputy CEO and Executive Director for Regulatory Operations and Supervisory Risk Specialists. Mr Nelson discussed steps to counter cyber risk, including simulation exercises, penetration testing and international collaboration.
The PRA updated PS6/21 Operational Resilience: Impact tolerances for important business services. The update is relevant only to firms with annual gross written premiums in excess of £10 billion determined on the basis of the average annual amount assessed across a rolling period of three years, calculated by reference to the firm’s accounting reference date. There was a typographical error in paragraph 3.15 of PS 6/21 which has resulted in PS6/21 not reflecting accurately the wording of the Operational Resilience – Solvency II Part of the PRA Rulebook, effective from Wednesday 31 March 2022. The figure of £10 billion referred to in paragraph 3.15 should read £15 billion.
The Financial Services Development Council (FSDC) has released a research report entitled 'Cybersecurity Strategy for Hong Kong’s Financial Services Industry'. The report details how cyber-attacks are affecting the financial industry, assesses the industry’s cyber resilience, and outlines ways to enhance the industry’s cyberspace safety framework.
The European Banking Authority (EBA) has published its final revised guidelines on major incident reporting under the Payment Services Directive (PSD2). The revised guidelines optimise and simplify the reporting process and templates; focus on incidents with significant impact on payment service providers (PSPs); and improve the meaningfulness of the information to be reported. The guidelines apply from 1 January 2022.
On 9 November 2020, the Financial Stability Board (FSB) published a discussion paper on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships. The FSB received 39 responses from a wide range of stakeholders. The FSB also held a virtual outreach meeting in late February 2021, attended by around 200 participants. This note summarises the main issues raised and views expressed in the public consultation, including the virtual outreach meeting.
The regulation establishing a new European Cybersecurity Competence Centre and a Network of National Coordination Centres has entered into force this week. The Cybersecurity Competence Centre, which will be located in Bucharest, will contribute to strengthening European cybersecurity capacities and to boosting research excellence and the competitiveness of the Union's industry in the cybersecurity field.
The UK and Singapore announced the launch of a new Financial Partnership at the sixth UK-Singapore Financial Dialogue; during the Dialogue. The two countries also announced a memorandum of understanding (MoU) to enhance bilateral cyber security cooperation, including the sharing of cyber-related information and supervisory best practices. The MoU was signed by UK Economic Secretary to the Treasury, Mr John Glen; Chief Executive of the Financial Conduct Authority (FCA), Mr Nikhil Rathi; Deputy Governor of the Bank of England (BoE) and Chief Executive of the Prudential Regulation Authority (PRA), Mr Sam Woods; and Managing Director of the MAS, Mr Ravi Menon.
The International Organization of Securities Commissions (IOSCO) and the Committee on Payments and Market Infrastructures (CPMI) have published a report on FMIs’ business continuity planning. The report represents the third Level 3 assessment of consistency in the outcomes of financial market infrastructures (FMIs). The report found that FMIs have operational reliability objectives, focusing on system availability and recovery time. However, some FMIs do not fully meet expectations with respect to recovery from operational incidents, such as natural disasters or IT systems outage.
The European Central Bank (ECB) published a letter from Fabio Panetta, Member of the Executive Board, on the independent review of TARGET incidents in 2020 and the Eurosystem’s response. The letter highlights the key points from the independent review and notes the ECB's intention to implement the recommendations from the review. The ECB announced the launch of an independent review in November 2020 after an incident, which affected TARGET2 on 23 October 2020, caused an extended outage. In total, five major information technology (not cyber) related incidents occurred in 2020, affecting payment transactions and securities processing of the TARGET Services that are under the responsibility of the Eurosystem. The independent review describes the incidents in detail, outlines their consequences for participants and identifies their root causes. It lists weaknesses in several areas, including business continuity management, fail-over and recovery testing, and communication protocols in crisis situations.
The Monetary Authority of Singapore (MAS) and the US Treasury have finalised a Memorandum of Understanding (MoU) in relation to cybersecurity cooperation. The MoU enhances cooperation in the following areas: - information sharing relating to the financial sector including cybersecurity regulations and guidance, cybersecurity incidents, and cybersecurity threat intelligence; - staff training and study visits to promote cooperation in the area of cybersecurity; and - competency-building activities such as the conduct of cross-border cybersecurity exercises.
The European Central Bank's (ECB) opinion on the proposed regulation on digital operational resilience for the financial sector (DORA) has been published in the Official Journal of the EU (OJ). In its opinion, the ECB welcomes the proposed regulation, which aims to enhance the cyber security and operational resilience of the financial sector. The ECB also makes a number of observations on the proposed regulation, and sets out recommended amendments to the European Commission's (EC) draft.
The European Securities and Markets Authority (ESMA) published its second Trends, Risks and Vulnerabilities (TRV) Report of 2021 which included an in-depth article looking at the financial stability risks of cloud outsourcing.
The Insurance Authority issued a circular to inform authorised insurers that the Cybersec Infohub is open for registration and to encourage authorised insurers to consider deploying the Cybersec Infohub in their compliance with the Guideline on Cybersecurity (GL20). Cybersec Infohub is a partnership programme jointly administered by the Office of the Government Chief Information Officer and the Hong Kong Internet Registration Corporation Limited for local companies / organisations with a business address in Hong Kong and which own an '.hk' internet domain name. It allows members to (among other things) access private groups to exchange information on specific topics of common interest and conduct discussions in a closed environment, collect threat intelligence through application programming interfaces, and receive trending cyber threat insights via daily emails.
The Financial Markets Infrastructure (FMI) Division of the Bank of England (BoE) has written to CEOs of central securities depositories (CSDs), recognised payment system operators (RPSOs), specified service providers (SSPs), and central counterparties (CCPs) to draw atttention to the BoE's expectations with regard to material outsourcing to the public cloud as set out in existing publications. The letters also communicate the BoE's intention to consult on its proposed expectations and policies for FMIs on outsourcing in due course, with specific reference to the use of cloud.
The Basel Committee on Banking Supervision (BCBS) called on banks to improve resilience to cyber threats in a newsletter following its September 2021 meetings. The BCBS intended that the newsletter help promote the widespread adoption of measures to strengthen banks' cyber security. It complemented previous BCBS publications, including the set of principles for operational resilience and operational risk published in March 2021.
The Australian Prudential Regulation Authority (APRA) released a letter providing an updated schedule of policy priorities for the remainder of 2021, focusing on key reforms to strengthen financial resilience. APRA original released its policy priorities in February 2021. Under the revised schedule, several policy releases originally scheduled for this calendar year have been deferred to 2022, including standards for operational resilience.
ECB: OpiAPRA: Updated schedule of policy priorities for 2021nion on DORA
5 OCTOBER 2021
SFC: Guidance to intermediaries on operational resilience and remote working
6 OCTOBER 2021
EBA: 2022 Work Programme - VP4: Digital resilience, Fintech and innovation
11 OCTOBER 2021
FCA: Expectations on remote and/or hybrid working arrangements
15 OCTOBER 2021
MAS: Consultation proposed revisions to the Guidelines on BCM
19 OCTOBER 2021
FSB: Report on existing approaches to cyber incident reporting and next steps for broader convergence
27 October 2021
IOSCO: Updated principles on outsourcing
29 OCTOBER 2021
MAS CSAP: Ways to strengthen security in IT supply chains, online banking and blockchains
15 NovembeR 2021
MAS: Deadline for responses to consultation proposed revisions to the Guidelines on BCM
23 NOVEMBER 2021
APRA: Insights article - Improving cyber resilience, the role boards have to play
25 NovembeR 2021
PRA: Consultation on operational resilience and operational continuity in resolution
6 DECEMBER 2021
ASIC: Report on cyber resilience assessments of financial markets firms
14 DECEMBER 2021
PRA: Statement on cyber stress test
22 DECEMBER 2021
HKMA: Consultation - new SPM module OR-2 'Operational Resilience' and revisions to modules OR-1 'Operational Risk Management' and TM-G-2 'Business Continuity Planning'
The Securities and Futures Commission (SFC) has released a circular to provide guidance on operational resilience and remote working. While the guidance provided on cybersecurity, business continuity plans, internal controls and risk management in codes, guidelines and circulars has assisted licensed corporations in maintaining resilience during the pandemic, the SFC considers it important to ensure continued strength against operational disruptions by adopting a comprehensive approach. Accordingly, the SFC has set out operational resilience standards and required implementation measures which supplement the SFC’s existing guidance. The SFC has also set out expected regulatory standards for managing and mitigating some major risks of remote working. The SFC encourages intermediaries to read the Report on Operational Resilience and Remote Working Arrangements which accompanies the circular. The report aims to provide intermediaries with a better understanding of the regulatory standards set out in the circular, including providing suggested techniques and procedures as well as case examples and lessons learned drawn from the SFC's review of licensed corporations' measures during the pandemic and other disruptive events.
The European Banking Authority (EBA) has published its annual work programme for 2022, outlining its activities, tasks and key strategic areas of work for the coming year. One of the EBA's five vertical priorities for this period is 'Digital resilience, Fintech and innovation: deepen analysis and information-sharing'. Under this priority, the EBA envisages work in relation to the EU's proposed Digital Operational Resilience Act (DORA). DORA may see the EBA given new tasks.
The FCA has published a new webpage on remote or hybrid working expectations for firms. Firms considering remote or hybrid working will be evaluated by the FCA on a case-by-case basis and should consider how remote working might affect: - how they operate their business, including outsourcing arrangements; - their engagement with the FCA; and - notifications to the FCA on changes to working arrangements.
The Monetary Authority of Singapore (MAS) has issued a second consultation on proposed revisions to its Guidelines on Business Continuity Management (BCM). This second consultation includes revisions to address feedback received from the first consultation published in 2019 and incorporates key learnings from Covid-19. It builds on the policy intent from the first consultation to further emphasise the need for financial institutions to take an end-to-end view in ensuring the continuous delivery of critical business services, and introduce principles and practices that financial institutions can implement to strengthen operational resilience. Feedback to the consultation is requested by 15 November 2021. MAS notes that while this second consultation is on-going, financial institutions should continue to refer to the 2003 guidelines and supplementary guidance.
The Financial Stability Board (FSB) has published a report on the existing approaches and next steps for broader convergence of cyber incident reporting. The report notes that greater harmonisation of regulatory reporting of cyber incidents would promote financial stability by: building a common understanding, and the monitoring, of cyber incidents affecting financial institutions and the financial system; supporting effective supervision of cyber risks at financial institutions; and facilitating the coordination and sharing of information amongst authorities across sectors and jurisdictions.
The International Organisation of Securities Commissions (IOSCO) has published a report setting out updated outsourcing principles for regulated entities. The principles cover the following areas: - due diligence in the selection and monitoring of a service provider and its performance; - the contract with a service provider; - information security, business resilience, continuity and disaster recovery; - confidentiality issues; - concentration of outsourcing arrangements; - access to data, premises, personnel and associated rights of inspection; and - termination of outsourcing arrangements. The report also considers the impact of Covid-19 on outsourcing and operational resilience.
At its fifth annual meeting, held virtually on 26 and 27 October 2021, the Monetary Authority of Singapore (MAS) Cyber Security Advisory Panel (CSAP) supported the adoption of 'zero-trust' security principles and architecture to tackle advanced cyber threats and IT supply chain attacks. In addition, the panel also discussed cyber risks and mitigating actions in emerging technologies like blockchains and digital currencies
The Australian Prudential Regulation Authority (APRA) has published an article setting out its views on how Boards need to strengthen their ability to oversee cyber resilience. The article follows on from APRA's completion of two pilot initiatives executed under APRA's 2020-2024 Cyber Security Strategy, specifically: a technology resilience data collection; and an independent assessment of a pilot set of entities’ compliance with CPS 234, APRA’s Information Security Prudential Standard.
The Australian Securiites and Investment Commission (ASIC) released its latest report on the cyber resilience of firms operating in Australia’s financial markets. The report provides an update on organisations’ cyber resilience in the last two years since the previous report 651, November 2018-19. ASIC Commissioner Cathie Armour agreed that firms continue to be resilient against a rapidly changing cyber threat environment, with the increased threat of opportunities from the Covid-19 pandemic including targeting of remote workers and accessing remote infrastructure and supply chains.
The UK Prudential Regulation Authority (PRA) has announced that it will invite a number of firms to participate in a voluntary cyber stress test. The stress test will focus on a severe data integrity incident as the disruption scenario and will test firms’ ability to meet the impact tolerance for payments in a severe but plausible scenario. The cyber stress test is a separate but complementary exercise to the PRA’s operational resilience policy. It is the PRA's expectation that firms will be able to draw on their own preparations for the operational resilience policy for the purpose of the cyber stress test.
The Prudential Regulation Authority (PRA) published a consultation paper on operational resilience and operational continuity in resolution (CP21/21). The consultation sets out the PRA's proposals to apply the group provisions in the Operational Resilience Part of the PRA Rulebook relevant to Capital Requirements Regulation (CRR) firms to holding companies, and to make other minor formatting and clarification amendments to the Operational Resilience and Operational Continuity Parts of the PRA RulebookThe Hong Kong Monetary Authority (HKMA) has released the following Supervisory Policy Manual (SPM) draft modules for industry consultation: - a new module OR-2 'Operational Resilience'; - updated module OR-1 'Operational Risk Management'; and - updated module TM-G-2 'Business Continuity Planning'. The new module OR-2 sets out the HKMA’s supervisory approach to operational resilience and provide authorised institutions (AIs) with guidance on the general principles which they are expected to consider when developing their operational resilience framework. Comments are required to be submitted by 4 February 2022.. The PRA proposes that the implementation date for the changes resulting from CP21/21 would be: 31 March 2022 for Operational Resilience; and 1 January 2023 for Operational Continuity in Resolution. Responses are requested by 14 January 2022.
9 January 2020
FCA: Operational resilience and outsourcing webpage
The FCA has published a new webpage on operational resilience and outsourcing. The page covers: • Operational resilience and third party providers • How we define outsourcing and third party service supply • Existing expectations on outsourcing and third party provision • Material, critical or important outsourcing notifications • Intra-group outsourcing • Outsourcing and data security • Outsourcing of portfolio management: list of cooperation agreements • Risk management of outsourcing • Cloud outsourcing • FG16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services • ESA Level 3 Guidelines on outsourcing, including cloud • Who the EBA outsourcing guidelines apply to
15 January 2020
FCA: Report on Asset Management Risk Modelling and Portfolio Management Tools for Operational Resilience
The FCA has published the results of its review into how asset management firms selected and used risk modelling and other portfolio management tools, focussing on how these firms are placed to respond to system failures or service interruptions which could cause serious harm to consumers or potentially damage market integrity. This review builds on the FCA’s continuing work in the operational resilience sphere, including its cross-sector Technology and Cyber Resilience Questionnaire in 2017/8. The FCA sampled ten firms, examining their selection, use, management, oversight and implementation of portfolio management tools. The general view was that there are areas of good practice but scope for improvement.
16 January 2020
EU Commission: Deadline for Response Roadmap Consultation on Improving Resilience Against Cyberattacks (DORA)
The EU Commission launched both its public consultation phase and roadmap consultation on improving resilience against cyberattacks. The Commission’s initiative considers both new legislation on digital operational resilience and amending existing rules, particularly in the Network and Information Security (NIS) Directive. The roadmap consultation closes on 16 January 2020; the public consultation closes on 19 March 2020.
6 February 2020
EIOPA: Final Guidelines on Outsourcing to Cloud Service Providers
4 March 2020
FCA: Publication of Multi-firm Review Findings – Outsourcing in the Life Insurance Sector
The FCA has published a short set of findings from its review of outsourcing in the UK life insurance sector. The FCA’s findings are readily applicable to other outsourcing contexts, so regulated firms outside the life insurance sector should be aware of these. The FCA has tied in this review with its current focus on the operational resilience of regulated firms and the customer impacts caused by disruptions.
13 March 2020
EIOPA: Deadline for Responses to Consultation on the Proposal for Guidelines on Information and Communication Technology (ICT) Security and Governance
EIOPA has launched a consultation on the proposal for Guidelines on information and communication technology (ICT) security and governance. These guidelines shall provide guidance to national supervisory authorities and market participants on how regulation regarding operational risks set forth in Directive 2009/138/EC and in the Commission's Delegated Regulation 2015/35 and EIOPA Guidance set out in EIOPA's Guidelines on System of Governance is applied in the case of ICT security and governance.
Bank of England, PRA & FCA: Webinar on Consultations on building operational resilience
The webinar focused on key concepts in the UK regulators’ operational resilience proposals which were released on 5 December 2019. It was hosted by Lyndon Nelson, Deputy CEO of the PRA and Megan Butler, FCA Executive Director of the Supervision – Investment, Wholesale and Specialist.
19 March 2020
EU Commission: Deadline for Responses Public Consultation on Improving Resilience Against Cyberattacks (DORA)
The Bank of England has announced that the deadline for responses to PRA CP29/19 and to the Bank’s CPs on operational resilience for FMIs has been extended from 3 April 2020 to 1 October 2020 in acknowledgement of firms’ need to focus on responding to Covid-19.
20 March 2020
Bank of England and PRA: Delay to Deadline for Responses to PRA CP29/19 and the Bank’s CPs for FMIs
16 April 2020
FSI: Briefing on Covid-19 and operational resilience
The FSI, a joint creation of the Bank for International Settlements (BIS) and the BCBS, has published a briefing on Covid-19 and operational resilience. Guidance issued by financial sector authorities in response to the Covid-19 crisis seems to suggest that international efforts to come up with operational resilience standards should take into account at least the following elements: • critical/essential employees: identifying the critical functions and employees that support important business services, as well as ensuring employees' safety and that they can safely resume their duties (remotely, if necessary). • IT infrastructure: ensuring that IT infrastructure can support a sharp increase in usage over an extended period and taking steps to safeguard information security. • third-party service providers: ensuring that external service providers and/or critical suppliers are taking adequate measures and are sufficiently prepared for a scenario in which there will be heavy reliance on their services. • cyber resilience: remaining vigilant in order to identify and protect vulnerable systems, and detect, respond and recover from cyber attacks.
The FSB has published a consultation report on Effective Practices for Cyber Incident Response and Recovery, which was sent to G20 Finance Ministers and Central Bank Governors for their virtual meeting on 15 April. The toolkit of effective practices aims to assist financial institutions in their cyber incident response and recovery activities. Feedback to the consultation is requested by Monday 20 July 2020. The Final Report, including the toolkit, will be published in October 2020.
20 April 2020
FSB: Consultation on Effective Practices for Cyber Incident Recovery and Response
The Bank of England’s webpages related to its operational resilience consultations were updated as follows: “On 20 March, we announced an extension to the Bank and PRA consultations on Operational Resilience until 1 October 2020. It is planned that firms and FMIs will not need to meet requirements resulting from the consultations before the end of 2021. While operational resilience remains a top priority for the Bank, PRA and FCA, the delays are intended to alleviate burden on firms and FMIs in the wake of the Covid-19 outbreak.” This information relates to both PRA CP29/19 and the Bank’s consultations on operational resilience for FMIs.
7 May 2020
Bank of England and PRA: Announcement of delay to implementation of operational resilience requirements
Having initially delayed its planned consultation exercise to allow the financial services sector to focus on responding to Covid-19, the International Organization of Securities Commissions (IOSCO) subsequently found the pandemic a catalyst to proceed. Therefore, at the end of May, IOSCO launched its consultation on proposed updates to the 2005 Outsourcing Principles for Market Intermediaries and the 2009 Outsourcing Principles for Markets; feedback on the proposed new Outsourcing Principles (OPs) is requested on or before 1 October 2020. The decision to proceed reflects the acknowledgement that outsourcing is a key element for consideration when assessing operational resilience across the sector.
28 May 2020
IOSCO: Consultation on Updating the Principles on Outsourcing
In June 2020, the UK FCA undertook the first in a series of financial resilience surveys as part of the supervisory response to Covid-19 conditions. It surveyed the financial resilience of around 13,000 firms from across 15 sectors. The survey approach was also used in relation to Brexit-with specific categories of firms, and may continue to be used as a business-as-usual supervisory tool.
3 June 2020
FCA: Commencement of Financial Resilience Surveys as a Supervisory Tool
On 4 June 2020, Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the FCA, delivered a speech on the FCA’s response to Covid-19 and expectations for 2020 to a virtual audience at PIMFA’s Virtual Festival. Ms Butler explored the FCA’s priorities and longer-term expectations, in particular for the wealth management and advice industry.
4 June 2020
FCA: Megan Butler speech on the FCA’s response to Covid-19 and expectation for 2020
FCA has announced a delay to the implementation of operational resilience requirements, updating its website as follows: “It is planned that firms and FMIs will not need to meet requirements resulting from the consultations before the end of 2021. While operational resilience remains a top priority for the FCA, PRA and the Bank, the later publication date and implementation timetable are intended to alleviate burden on firms and FMIs in the wake of the Covid-19 outbreak.
25 June 2020
FCA: Announcement of delay to implementation of operational resilience requirements
The FSB has published a consultation report on Effective Practices for Cyber Incident Response and Recovery, which was sent to G20 Finance Ministers and Central Bank Governors for their virtual meeting on 15 April. The toolkit of effective practices aims to assist financial institutions in their cyber incident response and recovery activities. The deadline for responses to the consultation is Monday 20 July 2020. The Final Report, including the toolkit, will be published in October 2020.
20 July 2020
FSB: Deadline for Responses to Consultation on Effective Practices for Cyber Incident Recovery and Response
The Basel Committee on Banking Supervision (BCBS) has published a consultative document on principles for operational resilience that aim to increase the capacity of banks to withstand disruptions due to potentially severe events, as well as a consultative document on revisions to the principles for the sound management of operational risk that focus on change management and information and communication technologies (ICT). Feedback for both consultations is requested by 6 November 2020.
6 August 2020
BCBS: Consultation on principles for operational risk and resilience
30 September 2020
EBA: Work Programme for 2021
In its Work Programme, the EBA explains that: “In 2021 the EBA will continue to focus on ensuring technological neutrality in regulation and supervisory approaches. This will be done by monitoring developments and supporting knowledge sharing between supervisors and common regulatory and supervisory stances via the EBA FinTech Knowledge Hub and the joint ESAs EFIF, by thematic analysis and by potential policy responses. Specific areas of work will include platformisation, regulatory and supervisory technologies, further work on operational resilience, and understanding developments in crypto-assets, artificial intelligence and big data.”
1 October 2020
IOSCO: Deadline for Responses to Consultation on Updating the Principles on Outsourcing
2 October 2020
EU Commission: Adoption of Proposal for an amending Directive and for a Regulation on digital operational resilience for the financial sector (DORA)
On 2 October, the EU Commission adopted a package of proposals which included a new law on digital operational resilience for financial services; there is an eight week feedback period.
The EBA has launched a public consultation to propose revising the Guidelines on major incident reporting under the Payment Service Directive (PSD2). The proposal aims at optimising and simplifying the reporting process, capturing additional relevant security incidents, reducing the number of operational incidents that will be reported, and improving the meaningfulness of the incident reports received. The revision of the Guidelines also intends to decrease the reporting burden on payment service providers (PSPs). The consultation runs until 14 December 2020.
14 October 2020
EBA: Consultation on the Revision of the Guidelines on Major Incident Reporting under PSD2
6 October 2020
Bank of England: Nick Strange speech at OpRisk Europe
Nick Strange talks about the policies the Bank uses to support the operational resilience of financial firms and financial market infrastructures in the UK, and outlines some of the early results of the Bank’s consultation on ‘Operational resilience: Impact tolerances for important business services’ (CP29/19). He considers the lessons from Covid, before moving on to consider the international regulatory harmonisation on operational resilience and its relationship with other domestic policies.
In April 2020, the FSB published a consultation report on Effective Practices for Cyber Incident Response and Recovery. The toolkit of effective practices aimed to assist financial institutions in their cyber incident response and recovery activities. Feedback was requested by Monday 20 July 2020, and the FSB has published the responses received. The FSB has now published the Final Report which presents a toolkit of 49 practices for effective cyber incident response and recovery across seven components: (i) governance, (ii) planning and preparation, (iii) analysis, (iv) mitigation, (v) restoration and recovery, (vi) coordination and communication, and (vii) improvement. The final toolkit draws on the feedback from a public consultation process, including four virtual outreach meetings. The report was delivered to G20 Finance Ministers and Central Bank Governors for their October 2020 meeting.
19 October 2020
FSB: Final Report on Effective Practices for Cyber Incident Recovery and Response and Overview of Consultation
6 November 2020
BCBS: Deadline for responses to consultation on principles for operational risk and resilience
9 November 2020
FSB: Discussion Paper on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships
The EBA has launched a public consultation to propose revising the Guidelines on major incident reporting under the Payment Service Directive (PSD2). The proposal aims at optimising and simplifying the reporting process, capturing additional relevant security incidents, reducing the number of operational incidents that will be reported, and improving the meaningfulness of the incident reports received. The revision of the Guidelines also intends to decrease the reporting burden on payment service providers (PSPs).
14 December 2020
EBA: Deadline for Responses to Consultation on the Revision of the Guidelines on Major Incident Reporting under PSD2
The Hong Kong Insurance Authority (IA) has issued a Guideline on cybersecurity which sets out the minimum standard that authorized insurers are expected to have in place and the general guiding principles which the IA uses to assess a firm’s cybersecurity framework. Section 8 of the guideline specifically addresses response and recovery. The guideline takes effect from 1 January 2020.
1 January 2020
IA: Guideline on cybersecurity
28 January 2020
Payment Services Act – commencement date for majority of the Act
The Act empowers the Monetary Authority of Singapore (MAS) to regulate payment services, including with regard to technology and cyber risks. The Act was passed by Parliament on 14 January 2019, and assented to by the President on 11 February 2019. Date of Commencement: 28 January 2020 Parts 1 to 8, sections 109, 110, 112, 115 to 120, Part 10, the First and Second Schedules. Date of Commencement: 30 July 2020 Section 114 (which relates to insolvency, restructuring and resolution).
9 FEBRUARY 2020
MAS: Advice to FIs to Adopt Recommended Measures for DORSCON Orange
Following the raising of the Disease Outbreak Response System Condition (DORSCON) Alert Level from Yellow to Orange, the Monetary Authority of Singapore (MAS) issued an advisory on 7 February 2020 for financial institutions in Singapore to adopt additional measures and precautions. MAS has also reminded financial institutions that they should remain vigilant on the cyber security front as there have been cases of cyber threat actors taking advantage of the 2019 Novel Coronavirus (2019-nCoV) situation to conduct email scams, phishing and ransomware attacks.
11 FEBRUARY 2020
MAS: Staff Paper – Cyber Risk Surveillance: A Case Study of Singapore
This staff paper examines a range of analytical approaches to assess and monitor cyber risk to the financial sector, including various approaches to stress testing.
5 MARCH 2020
MAS: Notice 126 ERM for insurers
The Monetary Authority of Singapore (MAS) issued revised Notice 126 Enterprise Risk Management (ERM) for Insurers. This notice applies to all licensed insurers, except captive insurers and marine mutual insurers. It sets out the ERM requirements and guidelines for insurers to identify and manage interdependencies between key risks, and how these are translated into management actions related to strategic and capital planning matters.
6 March 2020
HKMA: Circular on Sound Risk Management Practices for Algorithmic Trading
8 APRiL 2020
MAS: S$35 million of new fund allocated to Strengthening Digitalisation and Operational Resilience
The HKMA issued a circular setting out its expectations on risk management for algorithmic (algo) trading. The circular covered the following areas: governance and oversight; development, testing; risk monitoring and controls; and documentation. With regard to risk monitoring and controls, HKMA particularly highlighted that authorised institutions (AIs) should have in place robust pre-trade controls as well as post-trade real-time monitoring of algo trading. They should also have in place a kill functionality as an emergency measure and a business continuity plan for dealing with adverse scenarios. Also important are security controls over physical and electronic access to systems and incident handling procedures. The circular also presents feedback from the HKMA’s 2019 thematic review of the practices of seven AIs.
The Monetary Authority of Singapore (MAS) announced a S$125 million support package to sustain and strengthen capabilities in the financial services and FinTech sectors amid the current economic slump. The support package will help to position financial institutions (FIs) and FinTech firms for stronger growth when the threat of COVID-19 recedes and economic activity normalises. S$35 million has been allocated for strengthening digitalisation and operational resilience. MAS will set up a new Digital Acceleration Grant (DAG) to support digitalisation in smaller FIs and FinTech firms. The DAG will help these firms adopt digital solutions to strengthen operational resilience, process efficiency, risk management and customer service. This will include the adoption of digital tools and upgrading of systems that facilitate business continuity (e.g. document collaboration solutions and virtual conferencing systems).
17 APRIL 2020
SFC: Circular to Management Companies and Market Makers of SFC-authorised ETFs
29 April 2020
SFC: Circular to licensed corporations Management of cybersecurity risks associated with remote office arrangements
18 JUNE 2020
HKMA: Joint white paper with industry – Capacity Building for Future Banking 2021-2015
21 July 2020
MAS: Consultation on the New Omnibus Act for the Financial Sector
6 AUGUST 2020
MAS: Notice on Cyber Hygiene comes into effect
20 AUGUST 2020
MAS: Deadline for responses to Consultation on the New Omnibus Act for the Financial Sector
10 September 2020
HKMA: Guideline on Oversight of Designated Retail Payment System
23 SEPTEMBER 2020
SFC: Circular to licensed corporations Review of internet trading cybersecurity
5 October 2020
Joint Associations: AFMA, ASIFMA, FIA, IBA Japan, ISDA write to ASIC, Japan FSA, MAS, and Hong Kong SFC
16 October 2020
MAS: Consultation on Proposed Regulations and Notices for Licensed Credit Bureaus and Approved Members
22 October 2020
ECB: Speech by Pentti Hakkarainen on Cyber Security and Resilience
30 October 2020
HKMA: Report published on Transforming Risk Management and Compliance – Harnessing the power of RegTech
3 November 2020
HKMA: Launch of CFI 2.0
10 NOVEMBER 2020
MAS: CSAP Advises FIs to Review Security Controls Amidst Covid-19
15 November 2020
MAS: Deadline for responses to Consultation on Proposed Regulations and Notices for Licensed Credit Bureaus and Approved Members
3 DeCEMBER 2020
ECB: Statement Regarding Supervisory Cooperation on Operational Resilience
10 DECEMBER 2020
SFC: FAQs to Circular on the Use of External Electronic Data Storage
15 DECEMBer 2020
PRA: Dear CEO Letters Highlight Operational and Financial Resilience as Supervisory Priorities
16 DECEMBER 2020
ECB: Speech by Fabio Panetta on Cyber Risk
EU Commission: New EU Cybersecurity Strategy and NIS 2
18 DECEMBER 2020
ESMA: Final Report – Guidelines on Outsourcing to CSPs
MAS: Consultations on Notices to Banks and Merchant Banks on Management of Outsourced Relevant Services
21 DECEMBER 2020
IAIS: Report on Cyber Risk Underwriting
The Hong Kong Securities and Futures Commission (SFC) issued a circular to management companies and market makers of SFC-authorised exchange traded funds (ETFs) to remind them of their obligations relating to market making. Among the obligations which the circular covers are that in the event of cessation, disruption or suspension of market making activities, a report be made to the SFC immediately, and that investors be kept informed. In addition, market makers of ETFs should (among other things): establish and maintain appropriate internal controls and risk management measures; invoke contingency measures in a timely fashion in anticipation of potential operational disruptions; and alert the management company of the ETFs, the SFC and the HKEX immediately if they experience or foresee any operational difficulties or disruptions that may affect the proper discharge of their market making functions.
The Hong Kong Securities and Futures Commission (SFC) issued a circular to remind licensed corporations (LCs) to assess their operational capabilities and implement appropriate measures to manage the cybersecurity risks associated with remote office arrangements which many LCs have put in place to mitigate the risks from Covid-19.
The Hong Kong Monetary Authority (HKMA) engaged the banking industry in July 2019 to start an industry-wide exercise to take stock of potential talent gaps during 2021 to 2025, with the aim of providing the industry with general directions for narrowing such gaps in the years ahead. The June 2020 white paper presented by the HKMA with the Hong Kong Association of Banks and Hong Kong Institute of Bankers reports on the findings of that engagement. Technological and data skills, including cybersecurity, are identified as one of the three key skills gap areas. The white paper explains that skills to defend against cyber threats and unauthorised access to computerised systems will be indispensable, although the impact of future development of quantum computing that may be able to compromise many existing encryption mechanisms should also be considered. Such knowledge will be required to perform different banking functions and may need to be embedded in the design of banking products and their delivery process.
The Monetary Authority of Singapore (MAS) published a consultation on the new Omnibus Act for the Financial Sector which includes (among other proposals) the harmonised power to impose requirements on technology risk management (TRM). MAS has relied on the powers in the respective Acts to specify its requirements on TRM for regulated activities. To facilitate MAS’ ability to impose TRM requirements on any financial institution (FI) or any class of FIs in relation to the FI’s system(s), irrespective of whether the system(s) supports a regulated activity, MAS proposed to introduce powers to issue directions or make regulations on TRM under the new Act. Additionally, the current maximum penalties that can be imposed for breaches of Tech-Risk Notices across the various Acts administered by MAS are not commensurate with the potential severity of a disruption to essential financial services and the potential impact to FIs’ customers. MAS proposes that the maximum penalty for breaches of regulations and Notices issued be S$1 million. Feedback to the consultation was requested by 20 Aug 2020.
The Monetary Authority of Singapore (MAS) issued a set of legally binding requirements to raise the cyber security standards and strengthen cyber resilience of the financial sector. The Notice on Cyber Hygiene sets out the measures that financial institutions must take to mitigate the growing risk of cyber threats. Specifically, it is mandatory for financial institutions to comply with the following requirements: • establish and implement robust security for IT systems; • ensure updates are applied to address system security flaws in a timely manner; • deploy security devices to restrict unauthorised network traffic; • implement measures to mitigate the risk of malware infection; • secure the use of system accounts with special privileges to prevent unauthorised access; and • strengthen user authentication for critical systems as well as systems used to access customer information. Financial institutions have 12 months to put these measures in place before the requirements come into effect on 6 August 2020.
The Monetary Authority of Singapore (MAS) published a consultation on the new Omnibus Act for the Financial Sector which includes (among other proposals) the harmonised power to impose requirements on technology risk management (TRM). MAS has relied on the powers in the respective Acts to specify its requirements on TRM for regulated activities. To facilitate MAS’ ability to impose TRM requirements on any financial institution (FI) or any class of FIs in relation to the FI’s system(s), irrespective of whether the system(s) supports a regulated activity, MAS proposed to introduce powers to issue directions or make regulations on TRM under the new Act. Additionally, the current maximum penalties that can be imposed for breaches of Tech-Risk Notices across the various Acts administered by MAS are not commensurate with the potential severity of a disruption to essential financial services and the potential impact to FIs’ customers. MAS proposes that the maximum penalty for breaches of regulations and Notices issued be S$1 million. Feedback to the consultation was requested by 20 August 2020.
The Hong Kong Monetary Authority (HKMA) has published a Guideline on Oversight of Designated Payment Systems. The guideline explains the HKMA's interpretation of some of the oversight requirements under the Payment Systems and Stored Value Facilities Ordinance (PSSVFO) relating to retail payment systems. The guideline sets out high level principles that the HKMA adopts in assessing the safety and efficiency of a designated retail payment system, its operating rules and compliance monitoring arrangements for the purpose of complying with the relevant statutory requirements. Section 2 of the guideline covers “Safety Requirements”, including operational risk management, outsourcing, business continuity management, and security. The HKMA expects prompt reporting of any potential inability to meet applicable statutory and/or regulatory requirements, or any breach of the operating rules of a designated retail payment system which may have a material impact on the system.
The Hong Kong Securities and Futures Commission (SFC) has published the report of its thematic review of selected internet brokers which provide online trading services on desktop, mobile or designated website platforms; the review focused on cybersecurity issues and vulnerabilities associated with mobile trading applications. A report summarises the key findings and observations. It also highlights deficiencies and instances of non-compliance in areas such as Two-Factor Authentication (2FA), data encryption, and more. The circular elaborates on the regulatory expectations set out in the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading that came into effect in July 2018. In addition, it also provides guidance on specific system security controls which internet brokers should employ for mobile trading applications as required under the Code of Conduct for Persons Licensed by or Registered with the SFC.
A coalition of trade associations including the Australian Financial Markets Association (AMFA), Asia Securities Industry and Financial Markets Association (ASIFMA), Futures Industry Association (FIA), International Bankers Association of Japan (IBA Japan) and the Interntional Swaps and Derivatives Association (ISDA) wrote to the Australian Securities and Investment Commission (ASIC), the Financial Services Authority of Japan (Japan FSA), Monetary Authority of Singapore (MAS) and Hong Kong Securities and Futures Commission (SFC) regarding a proposal for reciprocal business continuity plan (BCP) arrangements in East Asia/Pacific.
The Monetary Authority of Singapore (MAS) published a consultation on proposed regulations and notices applicable to the licensed credit bureaus (LCBs) and approved members regulated under the Credit Bureau Act 2016. MAS proposes to subject LCBs to similar technology risk management and cyber security requirements as other MAS-regulated firms. The draft notices on technology risk management and cyber hygiene are included in the consultation. Feedback to the consultation was requested by 15 November 2020.
The European Central Bank (ECB) has published the remarks delivered by Pentti Hakkarainen, Member of the Supervisory Board of the ECB, at the European Banking Federation’s online conference on “Cyber security and resilience: the basis of it all in digital innovation”. Key messages from Mr Hakkarainen’s speech were: • that digital operational resilience in the banking sector held up well during the pandemic, which indicates that the digital transformation processes required to keep up with societal changes are already well underway; • threats from cybercrime may be increasing, as new remote working patterns have extended the potential area of attack; and • authorities and banks should collaborate to withstand all cyber threats; banks’ digital systems must not only be cyber-resistant, they must also aim to be cyber-proof.
The Hong Kong Monetary Authority (HKMA) has published a white paper which sets out the case for wider adoption of RegTech in Hong Kong, and outlines a series of actions that the HKMA will take or is considering taking to accelerate adoption of RegTech solutions. The white paper makes a number of references to operational resilience, including noting the role of cloud computing in supporting RegTech solutions during Covid-19 and how RegTech solutions can support operational resilience through regulatory change periods.
HKMA originally introduced its Cybersecurity Fortification Initiative (CFI) in 2016. HKMA announced the launch of an updated CFI 2.0 on 3 November 2020. CFI 2.0 is into effect on 1 January 2021 and applies to all authorised institutions (AIs). CFI 2.0 consists of 3 pillars: 1. Cyber Resilience Assessment Framework (CRAF) – a self-assessment framework involving inherent risk assessment, maturity assessment, and intelligence-led cyber attack simulation testing (CAST) – AIs are divided into groups for a phased implementation up to the end of December 2023; 2. Professional Development Programme (PDP); and 3. Cyber Intelligence Sharing Platform (CISP).
At its fourth annual meeting on 5 November, the Monetary Authority of Singapore (MAS)'s Cyber Security Advisory Panel (CSAP) stressed the need for financial institutions (FIs) to review their security controls given the elevated technology-related risks arising from remote working and safe management measures due to Covid-19. CSAP made several recommendations, including that FIs: • review risk profiles and adequacy of risk mitigating measures; • maintain oversight of third-party vendors and their controls; and • strengthen governance over the use of open-source software (OSS).
The European Central Bank (ECB) has published a statement regarding supervisory cooperation on operational resilience. The ECB says that it is encouraged by recognition of the shared interest between supervisors and the industry in strengthening operational resilience, and the actions firms have taken to date. However, the ECB considers that more work remains to be done to ensure banks are resilient to potential operational disruptions from all hazards, including severe but plausible cybersecurity incidents, which could pose risks to the wider financial system. The ECB recognizes the global and interconnected nature of banks and the importance of supervisory coordination and is committed to working closely with the Federal Reserve and the UK Prudential Regulatory Authority to ensure that supervisory approaches on operational resilience are coordinated
The Hong Kong Securities and Futures Commission (SFC) has released its long awaited frequently asked questions (FAQs) regarding its 31 October 2019 circular on the use of external electronic data storage providers (EDSP circular). The FAQs provided an alternative pathway to compliance with the EDSP circular, namely the provision of an undertaking by the relevant Manager(s) in Charge or Responsible Officer coupled with an Access Map broadly identifying the types of electronic regulatory records which are stored exclusively and the relevant physical locations of those electronic regulatory records.
The Prudential Regulation Authority (PRA) has published the 'Dear CEO' letters sent to PRA-regulated deposit takers, international banks and insurers. The letters explain the PRA's 2021 priorities; both operational resilience and financial resilience as noted as priorities. In its letter to deposit-takers, the PRA noted that during Covid-19 firms responded to ensure operations could continue, in some instances adjusting risk appetites to accommodate deficiencies in controls as a result of temporary changes to the operating environment. The PRA will challenge firms on how they are ensuring that risk and control frameworks, including the three lines of defence, are operating effectively. With regard to its operational resilience consultations, the PRA explains that it will set standards for operational resilience and outsourcing during 2021. The PRA encourages firms to address the lessons learned from Covid-19, and review how these might influence the development of operational resilience as a continuing discipline.
The European Central Bank (ECB) has published the remarks delivered by Fabio Panetta, Member of the Executive Board, at the 5th meeting of the Euro Cyber Resilience Board (ECRB) for pan-European Financial Infrastructures. Under the title “Keeping cyber risk at bay: our individual and joint responsibility,” Mr Panetta outlined three lines of defence on which the EU can build to safeguard the cyber resilience of financial services – regulation and oversight; cyber resilience testing; and intelligence sharing. Mr Panetta stressed the need for continued effort to both prevent cyber incidents from occurring and, when such incidents do occur, to prevent incidents from escalating from the operational level to the financial level where they can ultimately start damaging confidence.
The EU Commission and the High Representative of the Union for Foreign Affairs and Security Policy have presented a new EU Cybersecurity Strategy. Among the elements included in the strategy are: • revised rules on the security of network and information systems under a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2') –NIS 2 will have an expanded scope, including (but not limited to) financial market infrastructures (FMIs) and digital infrastructures (e.g., cloud computing service providers, electronic communications services, etc.); and • a new Directive on the resilience of critical entities which expands the scope of existing EU rules on critical infrastructure – ten sectors are now to be covered, including banking and FMIs.
The Monetary Authority of Singapore (MAS) published a consultation on a Notice to Banks on Management of Outsourced Relevant Services. MAS also intends to mirror requirements of this notice for Merchant Banks in a Notice to merchant banks on Management of Outsourced Relevant Services. Feedback to the consultation was requested by 29 January 2021.
The International Association of Insurance Supervisors (IAIS) has published a report on cyber risk underwriting, which identifies the challenges and supervisory considerations for sustainable market development. The main findings reported are that: • cyber underwriting practices, while serviceable, are not yet optimal, particularly due to issues surrounding the measurement of risk exposures; and • supervisory intensity and approaches are generally limited.
15 Feb 2020
EU Commission: Deadline for feedback on Commission’s adopted proposal for a Regulation on digital operational resilience for the financial sector (DORA)
2 November 2020
US
Interagency Paper on Sound Practices to Strengthen Operational Resilience
30 January 2020
APRA: Policy Priorities 2020 – overarching expectations for operational resilience
31 March 2020
ASIC: Market Integrity Update – Covid-19 Special Issue
26 august 2020
APRA: Insight Article – Covid 19: A Real-World Test of Operational Resilience
APRA: Chair’s Remarks to the BCBS Outreach Meeting
DeCEMBER 2020
ASIC: Operational resilience of market intermediaries during the Covid-19 pandemic
The Australian Prudential Regulation Authority (APRA) set out its 2020 policy priorities. With regard to operational resilience, APRA noted that "there is currently no specific detailed coverage of operational risk and other non-financial risks in the prudential framework applicable to all regulated entities." APRA confirmed that it intended to set overarching expectations for the management of operational risk and other non-financial risks, and to review and update relevant Prudential Standards, (including CPS 231 Outsourcing and CPS 232 Business Continuity Management) and relevant Superannuation Standards (including SPS 231 Outsourcing and SPS 232 Business Continuity Management).
The Australian Securities and Investments Commission (ASIC) has set out its expectations for market intermediaries in a special Covid-19 edition of Market Integrity Update. The edition specifies ASIC's expectations with respect to business continuity and back-up arrangements, and supervision of staff working remotely.
Insight - Issue Three 2020, the journal produced by the Australian Prudential Regulation Authority (APRA), includes an article discussing how Covid-19 has provided a real-world test for operational resilience. While Australia’s financial entities are weathering the pandemic well so far, the pandemic provides important lessons about the maintenance of sufficient operational resilience, the factors that can undermine that resilience, and the need to consider a variety of plausible shocks.
Wayne Byres, Chair of the Australian Prudential Regulation Authority (APRA), addressed the Basel Committee on Banking Supervision (BCBS) at the BCBS outreach meeting on operational resilience, The APRA Chair highlighted a number of lessons on operational resilience drawn from Covid-19 in relation to board oversight, business continuity planning (BCP), technology change management and oversight, and people risk.
The Australian Securities and Investments Commission (ASIC) published its observations on market intermediaries' operational approaches during the pandemic, the operational challenges they faced, and future focus areas for market intermediaries. The observations are based on engagement with market intermediaries since March 2020 when ASIC set out its expectations regarding business continuity and the supervision of staff during the pandemic.
The Board of Governors of the Federal Reserve System (Fed), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued an interagency paper, “Sound Practices to Strengthen Operational Resilience”. To help large and complex domestic firms address unforeseen challenges to their operational resilience, the sound practices are drawn from existing regulations, guidance, and statements as well as common industry standards that address operational risk management, business continuity management, third-party risk management, cybersecurity risk management, and recovery and resolution planning. The guidance in the sound practices does not amend, expand, or alter the agencies’ existing regulations or guidance.
12 October 2020
EIOPA: Guidelines on ICT security and governance
The European Insurance and Occupational Pensions Authority (EIOPA) finalised the Guidelines on Information and Communication Technology (ICT) Security and Governance. The objective of the guidelines is to promote the increase of the operational resilience of the digital operations of insurance and reinsurance undertakings against the risks they face. National supervisory authorities are expected to apply the guidelines from 1 July 2021.
25 February 2019
EBA: Guidelines on Outsourcing Arrangements
Following consultation in the second half of 2018, the EBA has published its final report on draft guidelines for outsourcing arrangements. The report contains both the guidelines at pages 17-55 and the EBA’s feedback on the public consultation at pages 68-125. Most provisions of the guidelines will enter into force on September 30, 2019. At the same time, the guidelines will replace those issued by the EBA’s predecessor organisation, the Committee of European Banking Supervisors (CEBS), in 2006 and will also incorporate the EBA’s 2017 recommendations on outsourcing to cloud service providers which came into effect on July 1, 2018. The guidelines are intended to establish a more harmonised framework for financial institutions that are within the scope of the EBA’s mandate. They apply to credit institutions and investment firms which are subject to the Capital Requirements Directive (CRD) as well as to payment and electronic money (e-money) institutions.
8 March 2019
FCA: Cyber Security – Industry Insights
Since 2017, the FCA has brought together over 175 firms across different financial sectors to share information and ideas from their cyber experiences, forming Cyber Coordination Groups (CCGs). During 2018/19, the groups have been discussing and sharing practices in the following areas: Governance, Identification, Protection, Detection, Situational Awareness, Response and Recovery, and Testing. The FCA has collated the examples shared by firms and set out those it considers to be beneficial for a wider audience under each of these themes; its intends that the insights will help firms to prioritise their efforts in increasing cyber resilience.
10 May 2019
FSB: Dietrich Domanski speech to the G7 2019 Conference on Cybersecurity
The FSB has published the remarks of its Secretary General Dietrich Domanski on coordinating efforts to protect the financial sector in the global economy at the G7 2019 Cybersecurity Conference hosted by the Banque de France.
28 May 2019
FSB: Progress Report to the G20 Finance Ministers and Central Bank Governors on Cyber Incident Response and Recovery
The FSB’s progress report, delivered to G20 Finance Ministers and Central Bank Governors ahead of their meetings in Fukuoka on 8-9 June, provides an update on the FSB’s work on developing effective practices for financial institutions’ response to and recovery from a cyber incident. In the report, the FSB advises that it will launch an online survey in July 2019 which will help to identify effective practices at financial institutions. A public consultation will be launched in early 2020, and the toolkit of effective practices will be finalised later the same year.
5 June 2019
Bank of England: Lyndon Nelson speech at report launch
Bank of England Deputy CEO Lyndon Nelson delivers the key note address at TheCityUK 'Operational resilience in financial services: time to act' report launch.
18 June 2019
IOSCO: Final Report of the Cyber Task Force
The report examines how IOSCO member jurisdictions apply three internationally recognized cyber standards which are termed the Core Standards in the report. These standards consist of the CPMIIOSCO Guidance on Cyber Resilience for Financial Market Infrastructures; the National Institute of Standards and Technology Framework for improving Critical Infrastructure Cybersecurity; and the International Organization for Standardization 27000 series standards. The report does not propose new cyber standards or guidance.
1 July 2019
EIOPA: Consultation on Guidelines on Outsourcing to Cloud Service Providers
EIOPA is consulting on outsourcing to cloud service providers. The aim of these guidelines is to: (a) provide clarification and transparency to market participants avoiding potential regulatory arbitrages; and (b) foster supervisory convergence regarding the expectations and processes applicable in relation to cloud outsourcing. The deadline for responses is 30 September 2019.
11 July 2019
FSB: Survey of Industry Practices – Cyber Incident Response and Recovery
The FSB is developing a toolkit of effective practices relating to a financial institution’s response to, and recovery from, a cyber incident. The toolkit aims to provide financial institutions and authorities with a set of effective practices and will be based on the shared experience and diversity of perspectives gathered by the FSB, including through responses to its survey of industry practices. The survey closes on 28 August 2019.
28 August 2019
FSB: Survey of Industry Practices – Cyber Incident Response and Recovery Closes
17 September 2019
EIOPA: Cyber Risk for Insurers – Challenges and Opportunities Report
EIOPA has published a report on "Cyber Risk for Insurers – Challenges and Opportunities". The findings confirm the need for a sound cyber resilience framework for insurers and identified the key challenges faced by the cyber underwriters. In particular, clear, comprehensive and common requirements on the governance of cybersecurity as part of operational resilience would help ensure the safe provision of insurance services. This would include a consistent set of definitions and terminology on cyber risks to enable a more structured and focused dialogue between the industry, supervisors and policymakers, which could further enhance the cyber resilience of the insurance sector. Ultimately, further actions to strengthen the resilience of the insurance sector against cyber vulnerabilities are essential, in particular considering the dynamic nature of cyber threats.
The Bank has published the high level findings of the financial sector cyber simulation exercise that took place on 9 November 2018. The exercise explored the sector’s resilience to a major cyber incident impacting the UK. The exercise demonstrated that recommendations from the last sector exercise have been implemented and identified further opportunities for improvement. It also successfully rehearsed the Cross Market Business Continuity Group, an executive level group chaired by the Bank to enable financial authorities (the Bank, PRA, FCA and HMT) to interact with the sector during times of major operational disruption. Alongside the financial authorities, participants included 29 of the most systemically important firms and Financial Market Infrastructures. Participants responded to a severe but plausible cyber-attack scenario targeting the sector. As the report sets out, the exercising found: (1) Opportunities to improve the way firms coordinate at an operational level during incidents that impact the sector; (2) Disparity in risk tolerance for suspending services could impact the functioning of the financial sector; (3) Recovery of services is impacted by differences in the way data is stored across the financial sector; and (4) Effective and consistent communications are key to maintaining customer and market confidence.
27 September 2019
Bank of England: Sector Cyber Resilience Exercise results
EIOPA is consulting on outsourcing to cloud service providers. The aim of these is to: (a) provide clarification and transparency to market participants avoiding potential regulatory arbitrages; and (b) foster supervisory convergence regarding the expectations and processes applicable in relation to cloud outsourcing. The deadline for response is 30 September 2019.
30 September 2019
EIOPA: Deadline for responses to Consultation on Guidelines on Outsourcing to Cloud Service Providers
Following consultation in the second half of 2018, the EBA has published its final report on draft guidelines for outsourcing arrangements. Most provisions of the guidelines will enter into force on September 30, 2019. At the same time, the guidelines will replace those issued by the EBA’s predecessor organisation, the Committee of European Banking Supervisors (CEBS), in 2006 and will also incorporate the EBA’s 2017 recommendations on outsourcing to cloud service providers which came into effect on July 1, 2018. The guidelines are intended to establish a more harmonised framework for financial institutions that are within the scope of the EBA’s mandate. They apply to credit institutions and investment firms which are subject to the Capital Requirements Directive (CRD) as well as to payment and electronic money (e-money) institutions.
EBA: Entry into Force of EBA Guidelines on Outsourcing Arrangements
The FCA has published the remarks delivered by Executive Director Megan Butler at the TISA’s Operational Resilience Forum. In a speech entitled, ‘The View from the Regulator on Operational Resilience’, Ms Butler explained that the proposals in the UK authorities’ consultation packaged (also published on 5 December 2019), make it clear that they expect firms to understand their vulnerabilities, and to invest in mitigation to protect the firm, consumers and the market.
5 December 2019
FCA: Speech on Operational Resilience delivered by Megan Butler, Executive Director of Supervision for Investment, Wholesale and Specialist, delivered at TISA’s Operational Resilience Forum
On 5 December 2019, the Bank of England, the PRA and the FCA released a number of publications on operational resilience, marking the launch of a consultation phase which will inform how the UK authorities seek to embed the consideration of operational resilience into the regulatory framework. Responses were initially requested by 3 April 2020, but all the dates were subsequently revised to 1 October 2020 in acknowledgement of the impact of Covid-19 on firms’ resources. Implementation has similarly been pushed back to ‘not before the end of 2021’.
Bank of England, PRA & FCA: Consultations on building operational resilience, including outsourcing
EIOPA has launched a consultation on the proposal for Guidelines on information and communication technology (ICT) security and governance. These guidelines shall provide guidance to national supervisory authorities and market participants on how regulation regarding operational risks set forth in Directive 2009/138/EC and in the Commission's Delegated Regulation 2015/35 and EIOPA Guidance set out in EIOPA's Guidelines on System of Governance is applied in the case of ICT security and governance. The consultation is open until Friday, 13 March 2020.
12 December 2019
EIOPA: Consultation on the Proposal for Guidelines on Information and Communication Technology (ICT) Security and Governance
19 December 2019
EU Commission: Launch of Public Consultation and Roadmap Consultation on Improving Resilience Against Cyberattacks (DORA)
Payment Services Act passed by Parliament
14 JANUARY 2019
29 JANUARY 2019
MAS: Speech by Ms Elean Chin, Division Head, at the CyRiM Scenario Project Launch
7 February 2019
MAS: Consultation on Outsourcing by Banks and Merchant Banks
7 MARCH 2019
MAS: Consultations on Enhancements to Technology Risk and Business Continuity Management Guidelines
8 MARCH 2019
MAS: Deadline for responses to Consultation on Outsourcing by Banks and Merchant Banks
8 APRIL 2019
MAS: Deadline for responses to Consultations on Enhancements to Technology Risk and Business Continuity Management Guidelines
15 May 2019
ECB: Summary of Cyber Resilience-related Supervisory Activity and Cyber Incident Reporting
13 JUNE 2019
MAS: Announcement of plans to work with the Bank of England towards an MoU on cyber security
5 JULY 2019
MAS: Consultation on Proposed Payment Services Notices and Guidelines
FCA: Multi-firm Review of BCP
5 August 2019
MAS: Deadline for responses to Consultation on Proposed Payment Services Notices and Guidelines
6 AUGUST 2019
MAS: Publication of Notice on Cyber Hygiene
30 SEPTEMBER 2019
MAS: CSAP highlights need for managing cyber risks in IT supply chains
MAS: Speech by Mr Vincent Loy, Assistant Managing Director (Technology) at the 3rd CSAP meeting
30 OCTOBER 2019
MAS: Speech by Mr Benny Chey, Assistant Managing Director at the launch of the CyRiM Shen Scenario Report
31 OCTOBER 2019
SFC: Circular on the Use of External Electronic Data Storage
5 NOVEMBER 2019
MAS: Publication of MAS feedback to responses received to Consultation on Outsourcing by Banks and Merchant Banks
12 NOVEMBER 2019
MAS: MoU with ACPR and Banque de France to enhance cooperation on cyber security
29 NOVEMBER 2019
5 DECEMBER 2019
MAS: Publication of MAS feedback to responses received to Consultation on Proposed Payment Services Notices and Guidelines
Ms Elean Chin, Division Head, Monetary Authority of Singapore (MAS), spoke at the launch of the Cyber Risk Management Project (CyRiM) cyber scenario report. In a speech entitled, ”Building Resilience against Cyber Catastrophes”, Ms Chin discussed: • the global legislative response to cyber risk; • Singapore’s response to cyber risk – legislation, knowledge and information sharing and capability development; • the role of insurance in responding to cyber risk; and • gaps in cyber insurance.
The Monetary Authority of Singapore (MAS) published a consultation on proposed revisions to the regime governing banks’ and merchant banks’ outsourcing arrangements, including proposed amendments to the Banking Act. MAS proposes to issue an Outsourcing Notice for Banks and Merchant Banks that will set out identical requirements for banks and merchant banks in respect of outsourcing arrangements which are material. Feedback to the consultation was requested by 8 March 2019. MAS published its response to feedback received on 5 November 2019.
The Monetary Authority of Singapore (MAS) released two consultations on proposed changes to the Technology Risk Management (TRM) Guidelines and the Business Continuity Management (BCM) Guidelines. The changes will require financial institutions (FIs) to put in place enhanced measures to strengthen operational resilience. MAS proposes to expand the TRM Guidelines to include guidance on effective cyber surveillance, secure software development, adversarial attack simulation, and management of cyber risks posed by the Internet of Things. MAS also proposes to update the BCM Guidelines to raise standards for FIs in the development of business continuity plans that will better account for interdependencies across FIs’ operational units and linkages with external service providers. FIs are encouraged to put in place an independent audit programme to regularly review the effectiveness of their BCM efforts. Feedback to the consultation was requested by 8 April 2019.
The Monetary Authority of Singapore (MAS) published a consultation n proposed revisions to the regime governing banks’ and merchant banks’ outsourcing arrangements, including proposed amendments to the Banking Act. MAS proposes to issue an Outsourcing Notice for Banks and Merchant Banks that will set out identical requirements for banks and merchant banks in respect of outsourcing arrangements which are material. Feedback to the consultation was requested by 8 March 2019. MAS published its response to feedback received on 5 November 2019.
The European Central Bank (ECB) has published an article which summarises its supervisory activity around cyber resilience and cyber incident reporting. Recent ECB analysis of the first two years of data on cyber incident reporting found a fairly low number of significant cyber incidents. In most cases, the incidents reported were detected –belatedly – by the banks themselves or by a third party. Most of them led to a short disruption of services with limited financial loss. The most frequently reported incidents were distributed denial of service attacks (DDOS), unauthorised access requests, data leakage and phishing attacks. The ECB concludes that the diverse nature of cyber incidents indicates that there is a range of vulnerabilities that banks need to address: it is important for banks to improve their cyber resilience on the technical and human levels and to install efficient crisis management procedures to ensure they are prepared for the worst-case scenario.
At the UK-Singapore Business Summit held in London in commemoration of Singapore’s Bicentennial, the Monetary Authority of Singapore (MAS) and the Bank of England (BoE) also signalled their intent to further cooperate to enhance cyber security and resilience for the financial services industry. Both parties will work towards an MoU to formalise their engagement on cyber security matters. Singapore and the UK also signed agreements on cooperation in data connectivity, talent development and green finance.
The Monetary Authority of Singapore (MAS) published a consultation on proposed notices and guidelines applicable to entities regulated under the Payment Services Act 2019, including with respect to technology risk management and cyber hygiene requirements. Feedback to the consultation was requested by 5 August 2019.
The FCA reviewed business continuity planning (BCP) amongst a number of small and medium-sized retail banks, payments institutions and electronic money institutions. Most firms demonstrated a good understanding of the importance of BCP. There were examples of good practice, such as, governance with clear accountability and real time monitoring to identify events as soon as they occur. However, the FCA some important areas where improvements could be made. In particular, it found examples where firms did not fully understand the link between large-scale change projects and BCP. The FCA also saw examples where firms were assigning the management and oversight of events to staff at too low a level in their organisation.
The Monetary Authority of Singapore (MAS) issued a set of legally binding requirements to raise the cyber security standards and strengthen cyber resilience of the financial sector. The Notice on Cyber Hygiene sets out the measures that financial institutions must take to mitigate the growing risk of cyber threats. Specifically, it is mandatory for financial institutions to comply with the following requirements: • establish and implement robust security for IT systems; • ensure updates are applied to address system security flaws in a timely manner; • deploy security devices to restrict unauthorised network traffic; • implement measures to mitigate the risk of malware infection; • secure the use of system accounts with special privileges to prevent unauthorised access; and • strengthen user authentication for critical systems as well as systems used to access customer information. Financial institutions (FIs) have 12 months to put these measures in place before the requirements come into effect on 6 August 2020.
The Cyber Security Advisory Panel (CSAP) convened by the Monetary Authority of Singapore (MAS) discussed the latest cybersecurity challenges and strategies related to the financial industry in Singapore. During the discussions chaired by MAS Managing Director Ravi Menon, CSAP members highlighted the need to strengthen the cyber risk culture in financial institutions, enhance cyber monitoring and surveillance capabilities, and better manage cybersecurity risks in IT supply chains.
Mr Vincent Loy, Assistant Managing Director (Technology) of the Monetary Authority of Singapore (MAS), addressed the 3rd Cyber Security Advisory Panel (CSAP) Meeting. In a speech entitled “Building Cyber Resilience across the Finance Sector”, Mr Loy discussed: • cyber threats in the financial sector; • regulations and guidance, including the recently released Notice on Cyber Hygiene; • industry collaboration and support; • collaboration with national and international agencies, including the interaction which MAS has with the Financial Stability Board (FSB) working group on Cyber Incident Response and Recovery (CIRR); • information sharing, both within Singapore and beyond; and • consumer education.
Mr Benny Chey, Assistant Managing Director of the Monetary Authority of Singapore (MAS), addressed an audience at Lloyd’s of London to mark the launch of the Cyber Risk Management Project (CyRiM) catastrophic cyber attack scenario report. The scenario report focused on the maritime sector. In his remarks, Mr Chey outlined the rationale for boosting cyber resilience in the maritime sector, discussed the regulatory efforts to enhance cyber security, and explained the role of cyber insurance in building cyber resilience.
The Hong Kong Securities and Futures Commission’s (SFC’s) circular on the use of external electronic data storage by licensed corporations (LCs) was issued on 31 October 2019. The circular addresses conditions regarding the use of external electronic data storage providers (EDSPs) by LCs. For the purposes of this circular, EDSPs include external providers of: (a) public and private cloud services; (b) servers or devices for data storage at conventional data centres; (c) other forms of virtual storage of electronic information; and (d) technology services whereby (i) information is generated in the course of using the services, and the information is stored at such technology service providers or other data storage providers, and (ii) the information generated and stored can be retrieved by such technology service providers.
The Monetary Authority of Singapore (MAS) announced that it will sign a Memorandum of Understanding (MoU) with the French Autorité de contrôle prudentiel et de résolution (ACPR), and Banque de France to enhance cooperation in cybersecurity, through regular information sharing on cyber incidents and threat intelligence.
The Monetary Authority of Singapore (MAS) published a consultation on proposed notices and guidelines applicable to entities regulated under the Payment Services Act 2019, including with respect to technology risk management and cyber hygiene requirements. Feedback to the consultation was requested by 5 August 2019. MAS published its response to feedback received on 5 December 2019.
HKMA: Deadline for firms in second phase of C-RAF to have completed iCAST
HKMA: Deadline for firms in third and final phase of C-RAF to have completed C-RAF Inherent Risk Assessment and Maturity Assessment
The Hong Kong Monetary Authority (HKMA) launched the first phase of the Cyber Resilience Assessment Framework (C-RAF) under the Cybersecurity Fortification Initiative (CFI) implementation in December 2016. 30 authorized institutions (AIs) including all the major retail banks were requested to complete the C-RAF Inherent Risk Assessment and Maturity Assessment by end-September 2017 and the Intelligence-led Cyber Attack Simulation Testing (iCAST) by end-June 2018. Phase two covers 60 AIs with a relatively higher inherent risk or a larger scale of operation among the remaining AIs not covered in the first phase. Phase two firms were expected to complete the C-RAF Inherent Risk Assessment and Maturity Assessment by end December 2018, and the iCAST by end September 2019.
The Hong Kong Monetary Authority (HKMA) launched the first phase of the Cyber Resilience Assessment Framework (C-RAF) under the Cybersecurity Fortification Initiative (CFI) implementation in December 2016. 30 authorized institutions (AIs) including all the major retail banks were requested to complete the C-RAF Inherent Risk Assessment and Maturity Assessment by end-September 2017 and the Intelligence-led Cyber Attack Simulation Testing (iCAST) by end-June 2018. Phase two covers 60 AIs with a relatively higher inherent risk or a larger scale of operation among the remaining AIs not covered in the first phase. Phase two firms were expected to complete the C-RAF Inherent Risk Assessment and Maturity Assessment by end December 2018, and the iCAST by end September 2019. Phase three firms (around 90 AIs) were expected to complete the C-RAF Inherent Risk Assessment and Maturity Assessment by end-September 2019, and would be directed by the HKMA to complete the iCAST (if it was applicable) by mid-2020.
25 March 2019
APRA: Consultation on Prudential Practice Guide 234 Information Security
30 APRIL 2019
APRA: Information paper – PIR of APRA's 2013 superannuation prudential framework
25 JUNE 2019
APRA: Prudential Practice Guide CPG 234 Information Security
27 JuNE 2019
ASIC: Consultation on proposed market integrity rules for technological and operational resilience
23 october 2019
ASIC; Speech: Commissioner Cathy Armour on financial technology
18 December 2019
ASIC: Report 651: Cyber resilience of firms in Australia's financial markets 2018-19
The Australian Securities and Investments Commission (ASIC) published a report on the cyber resilience of firms operating across Australia's financial markets. The report provides an update on the REP 555 which was published in November 2017
The Australian Securities and Investments Commission (ASIC) published the remarks delivered by Commissioner Cathie Armour at the China Financial Summit 2019, 22nd China Beijing International High-Tech Expo, Beijing, 23 October 2019. In a speech focused on how ASIC is supporting fintech, Ms Armour discussed cyber resilience as a technology-related focus for ASIC. She commented, "While we have observed a growing understanding that cyber risk is a strategic, enterprise-wide issue, there remains disparity between firms when it comes to investment in cyber security and more to be done to drive continuous improvement in cyber resilience. We also note that use of third-party service providers and partnerships – often intended to optimise operational efficiencies – heighten the risk of cyber incidents. Cybersecurity, especially data integrity and protection, are crucial for consumer trust. Fintech and regtech developments need to get this right or else the consequences could be devastating."
The Australian Securities and Investments Commission (ASIC) released a consultation paper proposing new market integrity rules for securities and futures market operators and participants with the aim of promoting the technological and operational resilience of their critical systems. The proposals addressed the following areas of critical systems arrangements: change management in relation to critical systems; outsourcing of critical systems; risk management, and data and cyber security; incident management and business continuity planning (BCP); governance and resourcing; and fair access to markets and trading controls. The deadline for comments was 9 August 2019.
The Australian Prudential Regulation Authority (APRA) has released updated prudential guidance to all APRA-regulated entities on managing information security risks, including cyber-crime. Prudential Practice Guide CPG 234 Information Security replaces CPG 234 Management of Security Risk in Information and Information Technology. The updated guide supplements CPS 234 Information Security, which came into force on 1 July 2019.
In 2018, the Australian Prudential Regulation Authority (APRA) undertook a post-implementation review (PIR) of the superannuation prudential framework introduced following the 2013 Stronger Super reforms. The final report of the PIR was published in April 2019. Chapter 5 addresses financial requirements, operational risk and outsourcing, and business continuity management.
The Australian Prudential Regulation Authority (APRA) released for consultation updated guidance on protecting against the rise in information security risks, including cyber-crime. A new cross-industry Prudential Practice Guide 234 Information Security (CPG 234) will replace the existing CPG 234 Management of Security Risk in Information and Information Technology. The updated CPG 234 has been developed to help industry embed APRA’s new cross-industry prudential standard on information security, CPS 234, effective from 1 July 2019. It also provides guidance on addressing several common information security weaknesses that APRA has observed through its regular supervisory activities. The deadline for comments was 17 May 2019.
13 January 2018
EBA: Application of the Final Guidelines on Major Incident Reporting under PSD2
The EBA has adopted the Final Guidelines on major incident reporting under the revised Payment Services Directive (PSD2). The Guidelines set out the criteria, thresholds and methodology to be used by payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State. The Guidelines will apply from 13 January 2018.
19 February 2018
BCBS: Sound Practices on the Implications of Fintech Developments for Banks and Bank Supervisors
The BCBS Sound Practices on the Implications of Fintech Developments for Banks and Bank Supervisors assesses how technology-driven innovation in financial services, or "FinTech", may affect the banking industry and the activities of supervisors in the near to medium term. Various future potential scenarios are considered, with their specific risks and opportunities. In addition to the banking industry scenarios, three case studies focus on technology developments (big data, distributed ledger technology and cloud computing) and three on fintech business models (innovative payment services, lending platforms and neo-banks). Against this backdrop, current observations suggest that although the banking industry has undergone multiple innovations in the past, the rapid adoption of enabling technologies and emergence of new business models pose an increasing challenge to incumbent banks in almost all the banking industry scenarios considered. The report presents 10 key implications and related considerations.
13 June 2018
Bank of England: Lyndon Nelson speech at the 20th Annual OperationalRisk Eruope Conference
Looking back over his 30 years in the City, Lyndon Nelson highlights the risks posed by cyber and other operational incidents, given the financial system’s increasing reliance on technology and data. It is important for firms to have the ability to withstand, absorb and recover from operational incidents. He also speaks about the Authorities Response Framework, which ensures regulatory coordination in the event of a critical incident. Nelson used the term "WAR footing" to describe how firms should be ready for an operational incident – W: withstand, A: absorb, R: recovery. Firms are expected to set their own tolerances for key business services. These tolerances should be in the form of clear metrics indicating when a disruption would represent a threat to a firm, to consumers or to financial stability. Firms should test their tolerances and demonstrate to their supervisors that they have concrete measures in place to deliver resilient services.
22 June 2018
EBA: Consultation on Draft Guidelines on Outsourcing Arrangements
The EBA has launched a public consultation on its draft Guidelines on outsourcing which will update the existing CEBS Guidelines on outsourcing published in 2006. The revised Guidelines cover credit institutions and investment firms subject to the Capital Requirements Directive (CRD), but also payment institutions subject to the revised Payment Services Directive (PSD2) and electronic money institutions subject to the e-money Directive. The consultation runs until 24 September 2018.
29 June 2018
IAIS: Application Paper on Supervision of Insurer Cybersecurity
This IAIS Application Paper is intended to provide further guidance to supervisors seeking to develop or enhance their approach to supervising the cyber risk, cybersecurity, and cyber resilience of insurers. Feedback was due by 13 August 2018.
1 July 2018
EBA: Recommendations on Outsourcing to Cloud Service Providers Apply
The EBA has issued its Final Report on Recommendations on Outsourcing to Cloud Service Providers. These recommendations clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing, so as to allow them to leverage the benefits of using cloud services, while ensuring that any related risks are adequately identified and managed. The recommendations apply from 1 July 2018.
2 July 2018
FSB: Consultation on a Cyber Lexicon
The FSB has published a draft Cyber Lexicon of 50 terms related to cyber security and cyber resilience in the financial sector for public consultation. Feedback is requested by 20 August 2018.
5 July 2018
Bank of England, PRA & FCA: Discussion Paper on Building the UK Financial Sector’s Operational Resilience (PRA DP01/18 and FCA DP 18/4)
On 5 July 2018, the BoE, PRA and FCA published a joint discussion paper (DP) on an approach to improve the operational resilience of firms and financial market infrastructures (FMIs). The authorities requested feedback by 5 October 2018.
13 August 2018
IAIS: Deadline for comments on Application Paper on Supervision of Insurer Cybersecurity
20 August 2018
FSB: Deadline for Responses to Consultation on a Cyber Lexicon
On 2 July 2018, the FSB published a draft Cyber Lexicon of 50 terms related to cyber security and cyber resilience in the financial sector for public consultation. The deadline for responding to the consultation is 20 August 2018.
The EBA conducted a hearing on the draft guidelines on outsourcing consultation paper which was published on 22 June 2018, and which will close on 24 September 2018.
4 September 2018
EBA: Public Hearing on the Draft Guidelines on Outsourcing
Key global and regional payment, clearing and settlement operators met at a roundtable in Paris to discuss cyber-security and the resilience of financial market infrastructures (FMIs) and the wider market ecosystem. The meeting was hosted by the Bank of France, and convened by CPMI and IOSCO.
14 September 2018
CPMI/IOSCO: Meeting on Global Cyber Resilience
In June 2018, the EBA launched a public consultation on its draft Guidelines on outsourcing which will update the existing CEBS Guidelines on outsourcing published in 2006. The revised Guidelines cover credit institutions and investment firms subject to the Capital Requirements Directive (CRD), but also payment institutions subject to the revised Payment Services Directive (PSD2) and electronic money institutions subject to the e-money Directive.
24 September 2018
EBA: Deadline for Responses to the Consultation on Draft Guidelines on Outsourcing
On 5 July 2018, the BoE, PRA and FCA published a joint discussion paper (DP) on an approach to improve the operational resilience of firms and financial market infrastructures (FMI’s). The authorities requested feedback by 5 October 2018.
5 October 2018
Bank of England, PRA & FCA: Response deadline for Discussion Paper on Building the UK Financial Sector’s Operational Resilience (PRA DP01/18 and FCA DP 18/4)
8 November 2018
IAIS: Final Application Paper on Supervision of Insurer Cybersecurity and Resolution to Public Comments
On Friday 9th November 2018, the BoE, FCA and HM Treasury with industry undertook a one-day exercise designed to test the financial sector’s resilience to a major cyber incident impacting the UK.
9 November 2018
Bank of England, FCA and HM Treasury: Cyber resilience exercise
The FSB has published a Cyber Lexicon, following public consultation (launched on 2 July 2018). The lexicon comprises a set of approximately 50 core terms related to cyber security and cyber resilience in the financial sector. The Cyber Lexicon is intended to support the work of the FSB, standard-setting bodies, authorities and private sector participants, e.g. financial institutions and international standards organisations, to address financial sector cyber resilience. An overview of the responses received to the public consultation exercise accompanies the publication of the Cyber Lexicon.
12 November 2018
FSB: Cyber Lexicon and overview of responses to public consultation published
The FCA has published the results of its survey of 296 firms during 2017 and 2018 to assess their technology and cyber capabilities; Megan Butler, FCA Executive Director of Supervision – Investment, Wholesale and Specialists, outlined the key findings at Bloomberg, London.
27 November 2018
FCA: Results of the Cyber and Technology Resilience Cross-sector Survey 2017/18; Megan Butler’s Speech at Bloomberg, London; and Infographic on responding to Ransomware
28 November 2018
International Conference of Banking Supervisors’ workshop on cyber-security and operational resilience
On 28 November 2018, Lyndon Nelson, Deputy CEO of the PRA and Executive Director of Regulatory Operations & Supervisory Risk Specialists at the Bank of England chaired the International Conference of Banking Supervisors’ (ICBS’) workshop on cyber-security and operational resilience. Participants at the workshop discussed the specific challenges posed by cyber-risk as opposed to traditional operational risks. In particular noting that ‘taking a holistic view, the cyber dimension can be seen as one important element of operational resilience’. The workshop briefing paper sets out the key learnings to inform banks’ and supervisors’ activities; in summary, these are: a.‘Basic cyber-hygiene issues still underlie the vast majority of successful cyber-attacks’; b.‘A cyber-incident is a matter of “when” rather than “if”’; and c.“Cyber-security has both an operational and business impact.” The paper concludes with an outline of the BCBS’s work on operational resilience.
Bank of England Deputy CEO and co-chair of the G7 Cyber Experts Group Lyndon Nelson delivered remarks on the stock-take of global cyber security regulatory initiatives to the IMF cyber security workshop.
5 December 2018
Bank of England: Lyndon Nelson speech at the IMF Cyber Security Workshop
10 December 2018
FCA: Wholesale banks and asset management cyber multi-firm review findings
In late 2017 and early 2018, the FCA carried out a cyber multi-firm review with a sample of 20 firms in the asset management and wholesale banking sectors. The main aim of the review was to assess how wholesale banking and asset management firms oversee and manage their cybersecurity, how far they identify and mitigate relevant risks and their current capability to respond to and recover from incidents and successful attacks. All the firms acknowledged the importance of strong cybersecurity. But there were different degrees of understanding of the many potential ways that weak cybersecurity could affect business activities and lead to harm to clients and the wider markets. This was particularly the case at the Board or Management Committee levels. Awareness is lower in firms that do not have a cyber-specific strategy and proportionate cyber risk framework, where cyber is not part of their broader risk management framework, and where their incident response plans take little account of non-technical consequences such as the impact to their reputation, clients and markets more broadly.
8 JANUARY 2018
MAS: Deadline for responses to Consultation on Proposed Payment Services Bill
1 MARCH 2018
IA: John Leung speech at the AsianInvestor 5th Insurance Investment Forum
12 JUNE 2018
HKMA: Letter to CEOs regarding the launch of C-RAF under the CFI
30 JUNE 2018
HKMA: Deadline for firms in first phase of C-RAF to have completed iCAST
6 SEPTEMBER 2018
MAS: Consultation on Notice on Cyber Hygiene
5 OCTOBER 2018
MAS: Deadline for responses to Consultation on Notice on Cyber Hygiene
MAS: Revised Guidelines on Outsourcing
3 OCTOBER 2018
MAS: CSAP Proposes Ways to Enhance Financial Sector Cyber Resilience
16 NOVEMBER 2018
SFC: Launch of Thematic Review of Remote Booking, Operational and Data Risk Management Practices
19 November 2018
MAS: Publication of MAS feedback to responses received to Consultation on Proposed Payment Services Bill
3 DECEMBER 2018
MAS: New S$30 million grant to enhance cybersecurity capabilities in financial sector
31 DECEMBER 2018
HKMA: Deadline for firms in second phase of C-RAF to have completed C-RAF Inherent Risk Assessment and Maturity Assessment
The Monetary Authority of Singapore (MAS) published a consultation on the proposed Payment Services Bill which MAS developed to streamline payment services under a single legislation and calibrate regulations according to the risks the activities pose by adopting a modular regulatory regime. The consultation includes proposals relating to specific risk mitigating measures for technology risk management. Responses to the consultation were requested by 8 January 2018.
The Hong Kong Insurance Authority (IA) published the keynote speech delivered by CEO John Leung at the AsianInvestor 5th Insurance Investment Forum. Mr Leung provided an update on the developments in Hong Kong’s insurance regulatory framework since the IA took over the regulatory functions of the former Office of the Commissioner of Insurance in 2017. With regard to cybersecurity, Mr Leung remarked that alongside the tremendous increase in digital connectivity and more widespread applications of InsurTech, insurers were being exposed to an ever-rising level of cyber threat. He explained that, “cyber risk management should be high on the agenda of Board meetings so as to instil a strong sense of importance and urgency among the staff at every level in managing cyber risks properly and strengthening the resilience of the company and its IT structure in facing the growing challenges.”
On 12 June 2018, the Hong Kong Monetary Authority (HKMA) wrote to the CEOs of all authorized institutions (AIs) to provide additional information regarding the implementation of the Cyber Resilience Assessment Framework (C-RAF) under the Cybersecurity Fortification Initiative (CFI). The letter set out the phased approach to implementation of the C-RAF.
The Hong Kong Monetary Authority (HKMA) launched the first phase of the Cyber Resilience Assessment Framework (C-RAF) under the Cybersecurity Fortification Initiative (CFI) implementation in December 2016. 30 authorized institutions (AIs) including all the major retail banks were requested to complete the C-RAF Inherent Risk Assessment and Maturity Assessment by end-September 2017 and the Intelligence-led Cyber Attack Simulation Testing (iCAST) by end-June 2018.
The Monetary Authority of Singapore (MAS) published a consultation on a proposed Notice on Cyber Hygiene which prescribes a set of essential cyber security practices that financial institutions (FIs) must put in place to manage cyber threats. Responses to the consultation were requested by 5 October 2018.
At its second annual meeting, the Cyber Security Advisory Panel (CSAP) of the Monetary Authority of Singapore (MAS) provided insights and suggestions on how Singapore’s financial sector can harness the benefits of new technologies while remaining cyber resilient. Among the key issues discussed was the increasing use of cloud services by financial institutions (FIs). CSAP suggested that small and medium sized FIs can improve their cybersecurity posture by using reputable cloud solution providers that have strong cybersecurity capabilities. CSAP acknowledged concerns about concentration risks arising from a growing number of financial services relying on a limited pool of cloud service providers.
The Monetary Authority of Singapore (MAS) issued revised Guidelines on Outsourcing. These guidelines set out MAS’ expectations of a financial institution that has an outsourcing arrangement or is planning to outsource its business activities to a service provider. The guidelines cover: • Engagement with MAS on outsourcing. • Sound practices on risk management of outsourcing arrangements. • Cloud computing.
The Hong Kong Securities and Futures Commission (SFC) launched a thematic review of selected licensed corporations (LCs) to assess their risk governance and oversight framework as well as their risk management practices. The review comprises three work streams focusing on the underlying risks of LCs’ remote booking models, operational risk and data risk, with the aim of providing further guidance for LCs to cope with these evolving risks.
The Monetary Authority of Singapore (MAS) announced the launch of a new S$30 million Cybersecurity Capabilities Grant to strengthen the cyber resilience of the financial sector in Singapore and help financial institutions develop local talent in cybersecurity. The Grant, funded under the Financial Sector Technology and Innovation Scheme (FSTI), will support the development of advanced cybersecurity functions in Singapore-based financial institutions.
27 July 2018
SFC: Most Requirements under the Guidelines to Reduce and Mitigate Hacking Risks Associated with Internet Trading
The Hong Kong Securities and Futures Commission (SFC) released Guidelines to Reduce and Mitigate Hacking Risks Associated with Internet Trading (Guidelines) issued under section 399 of the Securities Futures Ordinance. The Guidelines set out 20 baseline preventive, detective and other control requirements for the industry to improve cybersecurity resiliency. One key control, the implementation of two-factor authentication for clients to log in to their internet trading accounts, will take effect on 27 April 2018, while all other requirements will take effect on 27 July 2018. The SFC also published Frequently Asked Questions to provide further guidance on the implementation of the Guidelines.
7 MARCH 2018
APRA: Consultation on new Prudential Standard CPS 234 Information Security
July 2018
APRA: Short topic paper 3 – financial requirements, operational risk and outsourcing
APRA: Information Paper on outsourcing involving cloud computing services
7 November 2018
APRA: Prudential Standard CPS 234 Information Security
The Australian Prudential Regulation Authority (APRA) has released the final version of its prudential standard focused on information security management. The new Prudential Standard CPS 234 Information Security requires APRA-regulated entities to: - clearly define information-security related roles and responsibilities; - maintain an information security capability commensurate with the size and extent of threats to their information assets; - implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and - promptly notify APRA of material information security incident
The Australian Prudential Regulation Authority (APRA) has released updated information on the use of shared computing services, such as cloud, by APRA-regulated entities. The new Information Paper, Outsourcing involving cloud computing services, updates information on prudential considerations and key principles issued to APRA-regulated entities in July 2015.
As part of the post-implementation review (PIR) of the Australian Prudential Regulation Authority’s (APRA’s) superannuation prudential framework, APRA published a number of short topic papers. This topic paper solicits feedback on whether the prudential standards (including guidance material) and reporting standards have achieved their objectives and continue to remain fit for purpose. Formal written submissions to the review were requested by 26 September 2018.
The Australian Prudential Regulation Authority (APRA) released for consultation a discussion paper on the introduction of a new cross-industry framework for the management of information security. The proposed requirements are specified in the draft Prudential Standard CPS 234 Information Security (draft CPS 234). Written submission on the proposals set out on this discussion paper were received until 7 June 2018.
24 APRIL 2017
FCA: Nausicaa Delfas speech on cyber security at the Financial Information Security Network
The FCA has published remarks made by Nausicaa Delfas, Executive Director at the FCA, at the Financial Information Security Network regarding the current cyber threat landscape.
]READ MORE
15 JUNE 2017
FCA: Good Cyber Security Foundations Guide
The FCA has published an infographic setting out the foundations for good cyber security.
27 JULY 2017
EBA: Final Guidelines on Major Incident Reporting under PSD2
31 AUGUST 2017
BCBS: Consultation on the Development of Sound Practices on the Implications of FinTech Developments for Banks and Bank Supervisors
The BCBS has released a consultative document on the implications of fintech for the financial sector. The consultation assesses how technology-driven innovation in financial services, or "FinTech", may affect the banking industry and the activities of supervisors in the near to medium term. Various future potential scenarios are considered, with their specific risks and opportunities. In addition to the banking industry scenarios, three case studies focus on technology developments (big data, distributed ledger technology, and cloud computing) and three on fintech business models (innovative payment services, lending platforms and neo-banks). The BCBS has identified 10 key observations and related recommendations for consideration by banks and bank supervisors. Feedback is requested by 31 October 2017.
21 SEPTEMBER 2017
IOSCO’s Growth and Emerging Markets (GEM) Committee Annual Meeting and Conference Cyber Resilience Workshop
The IOSCO GEM Committee Annual Meeting and Conference was a two-day event attracting over 300 participants from 50 jurisdictions. During the Conference, the GEM Committee conducted a cyber simulation exercise developed in collaboration with market experts to strengthen regulatory capabilities and preparedness in tackling cyber threats. The regulatory workshop provided participants with a better understanding of key cyber developments, risks and threats impacting global financial markets. The workshop also analysed scenarios and outlined measures to strengthen mechanisms, protocols and responses of regulators.
The FSB’s report presents conclusions from a stocktake on cybersecurity regulations, guidance and supervisory practices which was delivered to the October 2017 G20 Finance Ministers and Central Bank Governors in Washington, DC. The stocktake was requested by the G20 at its March 2017 meeting in Baden-Baden. The summary report was published together with a detailed analysis of the results of the stocktake. The reports have been informed by a survey of FSB member jurisdictions and international bodies. The summary report also sets out key themes raised in an FSB workshop in September that brought together public and private sector participants to discuss cybersecurity in the financial sector.
31 October 2017
The BCBS has released a consultative document on the implications of fintech for the financial sector. The consultation assesses how technology-driven innovation in financial services, or "fintech", may affect the banking industry and the activities of supervisors in the near to medium term. Various future potential scenarios are considered, with their specific risks and opportunities. In addition to the banking industry scenarios, three case studies focus on technology developments (big data, distributed ledger technology, and cloud computing) and three on fintech business models (innovative payment services, lending platforms and neo-banks). The BCBS has identified 10 key observations and related recommendations for consideration by banks and bank supervisors. Feedback is requested by 31 October 2017.
20 December 2017
EBA: Final Report on Recommendations on Outsourcing to Cloud Service Providers
Operational resilience concerns the whole of the operation. – a firm’s financial resilience, the resilience of its governance and people, regulatory resilience, the resilience of its structures, and systems, and its security resilience (both physical and cyber). It is an evolution rather than a revolution; firms – or more specifically, firms’ senior managers – must “join the dots” across a range of risk management and governance activities. It can be helpful at a conceptual level to identify five elements of a holistic framework:
FSB: Summary Report and Analysis on Financial Sector Cybersecurity Regulations, Guidance and Supervisory Practices
4 MAY 2017
SFC: Speech by Ms Julia Leung on Supervision in a Time of Change
15 MAY 2017
SFC: Circular to all LCs on Ransomware Threats
17 MAY 2017
IA: Letter to CEOs of all authorized insurers regarding sharing intelligence on cybersecurity
20 SEPTEMBER 2017
MAS: New International Advisory Panel for Cyber Security
30 SEPTEMBER 2017
HKMA: Deadline for firms in first phase of C-RAF to have completed C-RAF Inherent Risk Assessment and Maturity Assessment
20 NOVEMBEr 2017
MAS: Consultation on Proposed Payment Services Bill
The Hong Kong Securities and Futures Commission (SFC) published the remarks of Ms Julia Leung, Executive Director, Intermediaries at the Hong Kong Securities and Investment Institute’s Senior Leader Programme. Ms Leung highlighted the SFC’s priorities in her remarks: “While cybersecurity is a recurrent theme in our reviews, a review we began last October following a spate of hacking incidents specifically targeted the resilience of internet brokers to hacking risks. With a view to identify baseline cybersecurity controls, we sent out a questionnaire on the current practices … We then selected a number of firms for deep-dive inspections. In tandem, we benchmarked our regulatory requirements and market practices with those overseas … we held industry workshops in January to share our findings and also soft-consulted the industry on proposed baseline requirements on which we aim to issue a consultation paper later this month.”
The Hong Kong Securities and Futures Commission (SFC) issued an alert to all Licensed Corporations (LCs) in the wake of the WannaCry ransomware attacks. The alert highlighted the preventative measures which LCs should take, and also reminded LCs to report to the SFC immediately upon the occurrence of any material cybersecurity incident including ransomware attacks.
The Commissioner of Insurance wrote to CEOs of all authorized insurers regarding the Cybersecurity Intelligence Sharing Platform (CISP). The letter advises that to enhance cybersecurity resilience of the insurance sector, the Hong Kong Federation of Insurers (HKFI) is collaborating with the Hong Kong Applied Science and Technology Research Institute (ASTRI) to launch the CISP. The Commissioner encourages all authorized insurers to join the CISP.
The Monetary Authority of Singapore (MAS) announced that it has established a Cyber Security Advisory Panel (CSAP), comprising cyber security thought leaders from around the world. The CSAP will advise MAS on strategies to enhance the cyber resilience of Singapore’s financial sector. Specifically, CSAP will provide MAS global perspectives on evolving technologies and cyber threats and their implications for financial services, as well as insights on best practices in cyber security strategies.
The Monetary Authority of Singapore's (MAS) Cyber Security Advisory Panel (CSAP) discussed strategies to enhance the cyber resilience of Singapore’s financial sector, at its inaugural meeting on 5-6 October. The discussions covered areas ranging from regulatory guidance, supervision, and surveillance to information sharing and capability development. CSAP members agreed that having strong basic cyber hygiene practices was fundamental in securing cyber resilience. They also suggested that it was important to strengthen the competency and capability of the boards of financial institutions to exercise effective oversight of cyber risk management.
MAS: CSAP Discusses Strategies to Enhance the Cyber Resilience
SFC: Circular to Licensed Corporations Engaged in Internet Trading Implementation of the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading
7 October 2017
13 October 2017
27 October 2017
1 JULY 2017
APRA: CPS 231 Outsourcing in force
30 NOVEMBEr 2017
ASIC: Report 555 – Cyber resilience of firms in Australia's financial markets
Promulgated by the Australian Prudential Regulation Authority (APRA), this Prudential Standard requires that all outsourcing arrangements involving material business activities entered into by an APRA-regulated institution and a Head of a group be subject to appropriate due diligence, approval and ongoing monitoring. All risks arising from outsourcing material business activities must be appropriately managed to ensure that the APRA-regulated institution, or the group it heads, is able to meet its financial and service obligations to its depositors and/or policyholders.
The Australian Securities and Investments Commission (ASIC) published a report on the cyber resilience of over 100 firms operating across Australia's financial markets. Key insights included: - there is a growing understanding that cyber risk is a strategic, enterprise-wide issue that is on all organisations’ radars and is attracting increasing investment; - the disparity between large firms and small-and-medium firms is reflective of their investment in cyber security, the period of time cyber security has been an investment priority, and the ability to acquire highly specialised skills; - larger firms have demonstrated a relatively high degree of cyber resilience; and - small-and-medium firms are working towards developing their cyber resilience by investing in cyber security, but there is a long way to go.
The Australian Prudential Regulation Authority (APRA) updated its schedule of policy priorities for the remainder of 2021 in September 2021. Under the revised schedule, several policy releases originally scheduled for 2021 were deferred. APRA indicated that it planned to consult on operational resilience standards in 2022; standards are expected to be effective in 2024.
1 JANUARY 2024
APRA: New prudential standard on operational resilience comes into effect
The Australian Prudential Regulation Authority (APRA) consulted on a new prudential standard designed to strengthen the management of operational risk in the banking, insurance and superannuation industries in July 2022. The standard replaces the five existing standards relating to business continuity and outsourcing.
31 March 2025
BoE, FCA and PRA: Conclusion of transitional phase for operational resilience requirements
31 March 2026
HKMA: Operational resilience deadline
In May 2022, the Hong Kong Monetary Authority (HKMA) finalised its new Supervisory Policy Manual (SPM) module OR-2 Operational Resilience and revised SPM module TM-G-2 Business Continuity Planning. The modules implement the Basel Committee on Banking Supervision’s (BCBS's) Principles for Operational Resilience (POR) issued in March 2021. HKMA expects every authorised institution to have: - developed its operational resilience framework and determined the timeline by which it will become operationally resilient within one year after module OR-2 module is issued (ie, by 31 May 2023); and - become operationally resilient as soon as their circumstances allow and no later than three years after the initial one-year planning period (ie, by 31 May 2026).
