07 May Crisis Management
While crisis management is not an explicit part of the Operational Resilience regulations released on March 29, 2021 by the UK financial regulators; crises, or rather the avoidance of crises is the key motivator behind the new regulation. There have been several operational crises within the industry in recent years, perhaps most memorable being the TSB IT migration incident in 2018 which lasted over 2 weeks and impacted all their 1.9 million customers. These are the exact events the Policies are trying to mitigate.
Unfortunately, the laws of probability suggest that despite multiyear programmes to implement the requirements of the regulations, the industry will never be a crisis free zone, after all if 2020 taught us anything, it is the need to prepare for the unexpected. Crises will continue to be inevitable, albeit the regulations are seeking to reduce both the number and severity. Firms cannot put their crisis management exercising programmes on the back burner and assume that the scenario testing requirements of the regulations are all that is necessary to build resilience.
Crisis management exercises are far from a new concept and the banking sector have some of the most mature programmes with multiple simulation exercises running every year internally, supplemented by cross-sector SIMEX exercises run by the Bank of England. So, what is next for firm’s well established crisis management programmes? How do firms ensure that their crisis management capabilities mature in line with the Operational Resilience regulations?
In recent years crisis management scenarios have increasingly focused on Cyber, as it features consistently among firms’ top strategic risks. It is also a key priority for the regulators given the rapidly developing threat and our growing dependency on technology. Whilst these exercises may be run by in–house crisis management functions, or assisted by specialist firms and consultants, it is very rare for other key advisors or external parties to participate.
Our collective experience of assisting in live cyber and operational crises suggests that the external parties who would add most value to these exercises would be the triad of external advisors that many firms have depended upon during cyber crisis – communications specialists, legal advisors, and cyber incident response specialists. This triad of advisors work together to resume operations, provide updates to customers, suppliers, and investors, and manage potential legal repercussions, with the aim of reducing reputational damage and the overall cost of the crisis.
Many of the organisations who fill these three roles work regularly together, even more so following the lockdown of March 2020, as we saw a huge spike in cyber-attacks, as the criminals took advantage of vulnerabilities in firm’s hastily implemented remote work solutions. Whilst the advisors may be familiar with each other, firms who find themselves in the middle of a cyber-attack, have often never previously engaged with these teams, even though they are often selected from the cyber insurer’s panel of approved suppliers. Time is of the essence during a crisis and the time taken for these advisers to embed themselves and become useful is avoidable if firms sought to proactively engage them in their crisis management exercising programmes and draw on their experiences of handling many major crisis events.
The regulators are also keen for another set of external parties to be engaged in firm’s crisis management programmes; their critical third parties and suppliers. Historically firms have found gaining assurance over their supply chain’s resilience extremely hard, relying on on-site audits at best and at worst a supplier’s word and contractual SLAs. With the rise of supply chain cyber-attacks, most notably the 2020 SolarWinds attack which is estimated to cost cyber insurers between $50-100 million, it is understandable why third parties feature so heavily in the regulations.
The responsibility for oversight of Financial Market Infrastructure (FMI) has long been contested between the regulators and firms, but the regulation places an expectation on firms to gain assurance over these common third parties. Firms should seek to jointly test crisis management capabilities with FMI and other critical third parties to test assumptions and dependencies on both side of the fence. Unfortunately, the likelihood of getting these firms to the table will come down to which party has the most power and in the case of the FMIs. It is likely that a collaborative industry led approach may be most successful in achieving this. As with anything involving building trust between two parties, it is unlikely to happen overnight and therefore something firms should be focusing on now in order to meet the regulatory deadlines set for 2022 and beyond.