Operational Resilience: How Financial Services Firms Are Adapting to a New Regulatory Landscape

The regulators are circling, and operational resilience is in their sights.

Thanks to new rules at a European and national level, the UK’s financial services firms are under growing scrutiny to withstand, respond to and recover from serious digital disruptions. But reports suggest that many are still struggling to meet strict new requirements, especially those imposed by the EU’s Digital Operational Resilience Act (DORA).  

To help shine a light on the topic, Orange Cyberdefense recently hosted a RANT roundtable for 12 senior cybersecurity leaders. 

There’s no doubt why regulators are focusing on operational resilience in the sector, according to Ben Gibbins, Managing Principal at Orange Cyberdefense. “The main driver is the geopolitical landscape … state actors that seek to do us harm,” he said.   

Brian McCaffrey, Global Head of Threat Intelligence at Schroders Investment Management, agreed, pointing to the growing list of UK firms that have had critical digital services knocked out by cyber-attacks. “JLR, M&S, Harrods. So many mature organisations are being hit, we need to practice resilience,” he said. “Where are you all on the journey, because it’s not a case of ‘if’ but ‘when’?” 

Redundancy and Complexity

One of the key requirements of DORA is for financial services firms to use multiple service/IT providers, to spread their risk. “It’s clear they’re concerned about having a single third-party providing lots of organisations with a critical business process. But is it actually feasible to have multi-level redundancy?” asked Orange Cyberdefense’s Gibbins. 

Attendees were divided on the issue, although there was much discussion and anxiety around the table about the potential single point of failure created by identity and access management systems – specifically Active Directory. “If they have AD, we’re in serious trouble”, said one attendee of a theoretical breach.  

Schroders’ McCaffrey argued that not just financial pressure, but also complexity, are proving a barrier to achieving true multi-level redundancy.  

“If you’re talking about a multi-tenancy, multi-cloud platform, you’re spreading that complexity,” he argued. “A big part of the problem for financial organisations is the complexity of both shutting systems down to contain [the threat] and modularising them to restore.” 

It’s Good to Talk

Close dialogue and collaboration with the business is essential if security leaders are to succeed in building a more resilient organisation, especially during an incident. But this is sometimes hampered by mutual misunderstanding, McCaffrey continued.  

“Infosecurity is a conduit between technology and the business but sometimes we talk a language they don’t understand,” he argued. “That’s where tabletop exercises can help. Proving the theoretical challenges an organisation can have.” 

Another participant shared that they use a “two-in-the-box” model, where each service has a tech and a business owner, in order to help break down the “walls of misunderstanding.”

Mitigating Emerging AI Risk

Even if IT and business leaders understand each other, there are significant technology hurdles to overcome in the pursuit of operational resilience, participants agreed. The relationship between IT and the business is changing fast, thanks to the emergence of AI – built and managed by the former but capable of making autonomous business decisions. It represents a potential operational risk, if model outputs are maliciously altered to impact critical internal or customer-facing services.  

At least one senior security leader around the table said they were building an assessment process for every AI use case, tracking the interactions of AI within processes. “If it meets a certain risk threshold we do pen testing of that AI use case and are trying to push towards more automated security testing … and model validation,” he said. “But keeping track of all the AI use cases is the first challenge.” 

Another shared that he tries to keep ahead of new business demands by proactively looking into areas of emerging technology, such as how to “advance the traditional SDLC to support AI development”. He added: “I need to be proactive about this because when the business comes and says it wants to do something, it needs to know there’s a safety net there.” 

Proportionality is important when assessing these kinds of operational risk, argued Schroders’ McCaffrey. That means understanding the likelihood of a serious incident occurring today, or if it’s still some years away.  

The Challenges of Supply Chain Risk Management

A critical focus for DORA, and the FCA, is third-party risk management. “There’s an expectation of having visibility into your supply chain and continuous monitoring. But to really do third-party risk management properly and reduce the risk will be really resource intensive,” argued Orange Cyberdefense’s Gibbins. 

At least one attendee argued that such efforts are complicated by the reluctance suppliers and partners have of sharing sensitive information with each other. “If you upload all your security information into this ‘portal’, is it secure? And where is it being shared?” asked another. A third wondered if there may also be a risk involved in sharing sensitive supplier information with regulators. This kind of information could help a threat actor work out which businesses they can target to disrupt a large section of the financial services sector, he argued. 

“Is there not a risk of putting all that information in one place? If [key suppliers] were taken out, it may take out 20-30% of the UK’s financial industry. That would be a valuable list,” he said. 

It was widely agreed that continuous visibility into supply chains is vital to appease regulators and manage risk. And that it is possible to obtain critical information in certain circumstances. One CISO explained that he had a small supplier which allowed his company to monitor its datacentre directly, because his firm was “critical” to their business. Off-the-record discussions are a useful way to build trust with partners and suppliers, he added. 

“You have to be partners. It can’t just be transactional,” the security leader said. 

Proportionality was again mentioned as key. In this case, to ensure the level of visibility and control organisations seek to gain over their suppliers is balanced with the criticality of the services they offer. “There’s a point where you just accept there’s risk. I can’t spend my life worrying what those risks are,” said one CISO. 

Be Prepared

The FCA urges financial services firms to “expect the unexpected and be prepared to maintain their services in all severe but plausible scenarios to prevent intolerable harm”. Judging by the response of CISOs in the sector, there may be some bumps in the road as they continue this journey. But the direction of travel is clear.  

“The consistent message from regulators is: ‘it’s not enough to prevent incidents from occurring,’” said Orange Cyberdefense’s Gibbins. “They will occur, and we need to respond when they do.”