In light of increasingly sophisticated cyber attacks, technology advancements, more complex ecosystems and impending regulations, firms should be prepared for unexpected disruptions and strive to protect their stakeholders and their businesses. They can do so by developing operational resilience.
Operational resilience means being able to protect systems that support business services and quickly rebound in the face of threats and disruptions. Financial services firms that want to build financial resilience should improve their operational resilience as well. In fact, their financial resilience depends on it.
“Operational resilience refers to the ability of firms, FMIs and the sector as a whole to prevent, respond to, recover and learn from operational disruptions.”—
Why is operational resilience important for financial services firms?
First and foremost, there are strong signs of impending regulations that would require firms to become operationally resilient across the enterprise as a whole. Under existing legislation, firms are already responsible to their customers, shareholders and the overall economy in terms of cybersecurity, risk management and outsourcing.
The Bank of England and the European Banking Authority have both issued discussion papers on the topic and working towards introducing legislation that aims to improve resilience across the industry in a holistic way. Across the globe other regulators are expected to follow suit. Regulators are reviewing three key areas:
- The growing interconnectedness between financial services institutions and third-party providers.
- The increasing sophistication in cyber attacks on individual financial services institutions and entire markets.
- The dependence on an increasingly concentrated group of providers.
Additional regulations should also require evidence of firms’ resilience. Firms that fail to comply may have to absorb significant financial losses caused by large disruption events, such as a major security breach.
A second factor contributing to a strengthening of operational resilience is the current industry environment. The pace of change and pressure to more quickly meet shifting customer expectations combined with increasingly complex ecosystems increases firms’ risk of service outages and security breaches. The quality data that is so key to enterprise competitiveness is now vulnerable to increasing cyber attacks and breaches and thus more likely to be compromised, putting customers and the firms that serve them at great risk. Disaster recovery becomes paramount.
Finally, financial services institutions are increasingly vulnerable to an escalating number of security attacks. A 2018 State of Cyber Resilience study across 19 industries and 15 countries found that the number of cyber attacks on surveyed firms doubled in 2018. One in seven attacks on banking and capital markets firms were successful.1 One in five attacks on insurers were successful.2 These attacks are often difficult to identify, so considerable damage can be done in a short amount of time. Due to social media, word about a breach can spread quickly, affecting a firm’s reputation and, potentially, its bottom line.
A two-fold approach to current challenges
Implementing operational resilience requires firms to plan for and mitigate these threats while at the same time complying with new regulations and protecting their financial foundation. In my next blog post, I’ll share a framework for implementing resilience, not only operationally but across the entire enterprise, and highlight some common roadblocks leaders should be aware of.