The Bank of England and the Financial Policy Committee (FPC) has for some time been focused on end-to-end Operational Resilience – this is not about being able to evidence the recovery of a system out-of-hours in a controlled DR / BCP test scenario.
This is about understanding the end-to-end value chain both within the regulated perimeter (banks, insurance companies, fund managers, exchanges, clearing houses etc.) and third-parties that sit outside this perimeter but provide and/or support critical services to these regulated entities.
It’s about understanding the complex inter-connected dependencies and potential impact to the real economy. In this respect, Payments, Clearing, Settlement and Custody & Safekeeping functions are a significant area of interest given the systemic risk and potential impact.
What We Did
The Bank and the FPC have a detailed view on institutions that operate within the regulated perimeter. TORI was engaged to analyse third-party vendors and service suppliers that are critical to the functioning of regulated firms. As part of this analysis, TORI performed the following steps:
- Documented the landscape of third-party suppliers that support Payments, Settlement, Clearing and Custody & Safekeeping functions (PCSC)
- Identified where there is concentration risk amongst third-party suppliers
- Identified the dependencies at a process level between regulated PCSC functions and those unregulated third-parties
- Provided a broad assessment of the cyber-resiliency across the third-party firms
Outcomes & Results
- One of the key aims of the analysis was to establish the relationship between regulated firms providing PCSC functions, and those unregulated third-party suppliers providing services to PCSC firms.
- We also highlighted maturity levels viz-a-viz Operational resilience and Cyber security as well as setting out key considerations and industry Best Practice to underpin baseline analysis